feat: validate org domains (#3387)

* feat: validate org domain command side * feat: validate org domain query side * fix: create domain policy * feat: add reading domain policy on addorg domain
2025-08-12 00:47:33 +00:00 · 2022-04-13 11:24:03 +02:00
parent db554536a1
commit 820a21dce3
33 changed files with 223 additions and 39 deletions
--- a/internal/command/instance.go
+++ b/internal/command/instance.go
@@ -78,6 +78,7 @@ type InstanceSetup struct {
 	}
 	DomainPolicy struct {
 		UserLoginMustBeDomain bool
+		ValidateOrgDomains    bool
 	}
 	LoginPolicy struct {
 		AllowUsernamePassword      bool
@@ -242,6 +243,7 @@ func (c *commandNew) SetUpInstance(ctx context.Context, setup *InstanceSetup) (*
 		AddDefaultDomainPolicy(
 			instanceAgg,
 			setup.DomainPolicy.UserLoginMustBeDomain,
+			setup.DomainPolicy.ValidateOrgDomains,
 		),
 		AddDefaultLoginPolicy(
 			instanceAgg,
--- a/internal/command/instance_converter.go
+++ b/internal/command/instance_converter.go
@@ -69,6 +69,7 @@ func writeModelToDomainPolicy(wm *InstanceDomainPolicyWriteModel) *domain.Domain
 	return &domain.DomainPolicy{
 		ObjectRoot:            writeModelToObjectRoot(wm.PolicyDomainWriteModel.WriteModel),
 		UserLoginMustBeDomain: wm.UserLoginMustBeDomain,
+		ValidateOrgDomains:    wm.ValidateOrgDomains,
 	}
 }

--- a/internal/command/instance_domain_policy.go
+++ b/internal/command/instance_domain_policy.go
@@ -10,7 +10,8 @@ import (

 func AddDefaultDomainPolicy(
 	a *instance.Aggregate,
-	userLoginMustBeDomain bool,
+	userLoginMustBeDomain,
+	validateOrgDomains bool,
 ) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
@@ -18,6 +19,7 @@ func AddDefaultDomainPolicy(
 			return []eventstore.Command{
 				instance.NewDomainPolicyAddedEvent(ctx, &a.Aggregate,
 					userLoginMustBeDomain,
+					validateOrgDomains,
 				),
 			}, nil
 		}, nil
--- a/internal/command/instance_policy_domain.go
+++ b/internal/command/instance_policy_domain.go
@@ -37,7 +37,7 @@ func (c *Commands) addDefaultDomainPolicy(ctx context.Context, instanceAgg *even
 	if addedPolicy.State == domain.PolicyStateActive {
 		return nil, caos_errs.ThrowAlreadyExists(nil, "INSTANCE-Lk0dS", "Errors.IAM.DomainPolicy.AlreadyExists")
 	}
-	return iam_repo.NewDomainPolicyAddedEvent(ctx, instanceAgg, policy.UserLoginMustBeDomain), nil
+	return iam_repo.NewDomainPolicyAddedEvent(ctx, instanceAgg, policy.UserLoginMustBeDomain, policy.ValidateOrgDomains), nil
 }

 func (c *Commands) ChangeDefaultDomainPolicy(ctx context.Context, policy *domain.DomainPolicy) (*domain.DomainPolicy, error) {
@@ -50,7 +50,7 @@ func (c *Commands) ChangeDefaultDomainPolicy(ctx context.Context, policy *domain
 	}

 	instanceAgg := InstanceAggregateFromWriteModel(&existingPolicy.PolicyDomainWriteModel.WriteModel)
-	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, instanceAgg, policy.UserLoginMustBeDomain)
+	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, instanceAgg, policy.UserLoginMustBeDomain, policy.ValidateOrgDomains)
 	if !hasChanged {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "INSTANCE-4M9vs", "Errors.IAM.LabelPolicy.NotChanged")
 	}
--- a/internal/command/instance_policy_domain_model.go
+++ b/internal/command/instance_policy_domain_model.go
@@ -55,11 +55,15 @@ func (wm *InstanceDomainPolicyWriteModel) Query() *eventstore.SearchQueryBuilder
 func (wm *InstanceDomainPolicyWriteModel) NewChangedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
-	userLoginMustBeDomain bool) (*instance.DomainPolicyChangedEvent, bool) {
-	changes := make([]policy.OrgPolicyChanges, 0)
+	userLoginMustBeDomain,
+	validateOrgDomain bool) (*instance.DomainPolicyChangedEvent, bool) {
+	changes := make([]policy.DomainPolicyChanges, 0)
 	if wm.UserLoginMustBeDomain != userLoginMustBeDomain {
 		changes = append(changes, policy.ChangeUserLoginMustBeDomain(userLoginMustBeDomain))
 	}
+	if wm.ValidateOrgDomains != validateOrgDomain {
+		changes = append(changes, policy.ChangeValidateOrgDomains(validateOrgDomain))
+	}
 	if len(changes) == 0 {
 		return nil, false
 	}
--- a/internal/command/instance_policy_domain_test.go
+++ b/internal/command/instance_policy_domain_test.go
@@ -43,6 +43,7 @@ func TestCommandSide_AddDefaultDomainPolicy(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&instance.NewAggregate("INSTANCE").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -52,6 +53,7 @@ func TestCommandSide_AddDefaultDomainPolicy(t *testing.T) {
 				ctx: context.Background(),
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
+					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@@ -71,6 +73,7 @@ func TestCommandSide_AddDefaultDomainPolicy(t *testing.T) {
 								instance.NewDomainPolicyAddedEvent(context.Background(),
 									&instance.NewAggregate("INSTANCE").Aggregate,
 									true,
+									true,
 								),
 							),
 						},
@@ -81,6 +84,7 @@ func TestCommandSide_AddDefaultDomainPolicy(t *testing.T) {
 				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
+					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@@ -91,6 +95,7 @@ func TestCommandSide_AddDefaultDomainPolicy(t *testing.T) {
 						ResourceOwner: "INSTANCE",
 					},
 					UserLoginMustBeDomain: true,
+					ValidateOrgDomains:    true,
 				},
 			},
 		},
@@ -144,6 +149,7 @@ func TestCommandSide_ChangeDefaultDomainPolicy(t *testing.T) {
 				ctx: context.Background(),
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
+					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@@ -160,6 +166,7 @@ func TestCommandSide_ChangeDefaultDomainPolicy(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&instance.NewAggregate("INSTANCE").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -169,6 +176,7 @@ func TestCommandSide_ChangeDefaultDomainPolicy(t *testing.T) {
 				ctx: context.Background(),
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
+					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@@ -185,13 +193,14 @@ func TestCommandSide_ChangeDefaultDomainPolicy(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&instance.NewAggregate("INSTANCE").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
-								newDefaultDomainPolicyChangedEvent(context.Background(), false),
+								newDefaultDomainPolicyChangedEvent(context.Background(), false, false),
 							),
 						},
 					),
@@ -201,6 +210,7 @@ func TestCommandSide_ChangeDefaultDomainPolicy(t *testing.T) {
 				ctx: context.Background(),
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: false,
+					ValidateOrgDomains:    false,
 				},
 			},
 			res: res{
@@ -210,6 +220,7 @@ func TestCommandSide_ChangeDefaultDomainPolicy(t *testing.T) {
 						ResourceOwner: "INSTANCE",
 					},
 					UserLoginMustBeDomain: false,
+					ValidateOrgDomains:    false,
 				},
 			},
 		},
@@ -233,11 +244,12 @@ func TestCommandSide_ChangeDefaultDomainPolicy(t *testing.T) {
 	}
 }

-func newDefaultDomainPolicyChangedEvent(ctx context.Context, userLoginMustBeDomain bool) *instance.DomainPolicyChangedEvent {
+func newDefaultDomainPolicyChangedEvent(ctx context.Context, userLoginMustBeDomain, validateOrgDomains bool) *instance.DomainPolicyChangedEvent {
 	event, _ := instance.NewDomainPolicyChangedEvent(ctx,
 		&instance.NewAggregate("INSTANCE").Aggregate,
-		[]policy.OrgPolicyChanges{
+		[]policy.DomainPolicyChanges{
 			policy.ChangeUserLoginMustBeDomain(userLoginMustBeDomain),
+			policy.ChangeValidateOrgDomains(validateOrgDomains),
 		},
 	)
 	return event
--- a/internal/command/org_converter.go
+++ b/internal/command/org_converter.go
@@ -17,6 +17,7 @@ func orgWriteModelToDomainPolicy(wm *OrgDomainPolicyWriteModel) *domain.DomainPo
 	return &domain.DomainPolicy{
 		ObjectRoot:            writeModelToObjectRoot(wm.PolicyDomainWriteModel.WriteModel),
 		UserLoginMustBeDomain: wm.UserLoginMustBeDomain,
+		ValidateOrgDomains:    wm.ValidateOrgDomains,
 	}
 }

--- a/internal/command/org_domain.go
+++ b/internal/command/org_domain.go
@@ -2,12 +2,11 @@ package command

 import (
 	"context"
+	errs "errors"
 	"strings"

 	"github.com/caos/logging"

-	errs "errors"
-
 	http_utils "github.com/caos/zitadel/internal/api/http"
 	"github.com/caos/zitadel/internal/command/preparation"
 	"github.com/caos/zitadel/internal/crypto"
@@ -30,7 +29,15 @@ func AddOrgDomain(a *org.Aggregate, domain string) preparation.Validation {
 			if existing != nil && existing.Verified {
 				return nil, errors.ThrowAlreadyExists(nil, "V2-e1wse", "Errors.Already.Exists")
 			}
-			return []eventstore.Command{org.NewDomainAddedEvent(ctx, &a.Aggregate, domain)}, nil
+			domainPolicy, err := domainPolicyWriteModel(ctx, filter)
+			if err != nil {
+				return nil, err
+			}
+			events := []eventstore.Command{org.NewDomainAddedEvent(ctx, &a.Aggregate, domain)}
+			if !domainPolicy.ValidateOrgDomains {
+				events = append(events, org.NewDomainVerifiedEvent(ctx, &a.Aggregate, domain))
+			}
+			return events, nil
 		}, nil
 	}
 }
--- a/internal/command/org_domain_test.go
+++ b/internal/command/org_domain_test.go
@@ -47,12 +47,14 @@ func TestAddDomain(t *testing.T) {
 			},
 		},
 		{
-			name: "correct",
+			name: "correct (should verify domain)",
 			args: args{
 				a:      agg,
 				domain: "domain",
 				filter: func(ctx context.Context, queryFactory *eventstore.SearchQueryBuilder) ([]eventstore.Event, error) {
-					return nil, nil
+					return []eventstore.Event{
+						org.NewDomainPolicyAddedEvent(ctx, &agg.Aggregate, true, true),
+					}, nil
 				},
 			},
 			want: Want{
@@ -61,6 +63,24 @@ func TestAddDomain(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "correct (should not verify domain)",
+			args: args{
+				a:      agg,
+				domain: "domain",
+				filter: func(ctx context.Context, queryFactory *eventstore.SearchQueryBuilder) ([]eventstore.Event, error) {
+					return []eventstore.Event{
+						org.NewDomainPolicyAddedEvent(ctx, &agg.Aggregate, true, false),
+					}, nil
+				},
+			},
+			want: Want{
+				Commands: []eventstore.Command{
+					org.NewDomainAddedEvent(context.Background(), &agg.Aggregate, "domain"),
+					org.NewDomainVerifiedEvent(context.Background(), &agg.Aggregate, "domain"),
+				},
+			},
+		},
 		{
 			name: "already verified",
 			args: args{
@@ -1022,7 +1042,7 @@ func TestCommandSide_ValidateOrgDomain(t *testing.T) {
 						eventFromEventPusher(
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org2", "org2").Aggregate,
-								false))),
+								false, false))),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(org.NewDomainVerifiedEvent(context.Background(),
--- a/internal/command/org_policy_domain.go
+++ b/internal/command/org_policy_domain.go
@@ -39,7 +39,7 @@ func (c *Commands) addOrgDomainPolicy(ctx context.Context, orgAgg *eventstore.Ag
 	if addedPolicy.State == domain.PolicyStateActive {
 		return nil, caos_errs.ThrowAlreadyExists(nil, "ORG-1M8ds", "Errors.Org.DomainPolicy.AlreadyExists")
 	}
-	return org.NewDomainPolicyAddedEvent(ctx, orgAgg, policy.UserLoginMustBeDomain), nil
+	return org.NewDomainPolicyAddedEvent(ctx, orgAgg, policy.UserLoginMustBeDomain, policy.ValidateOrgDomains), nil
 }

 func (c *Commands) ChangeOrgDomainPolicy(ctx context.Context, resourceOwner string, policy *domain.DomainPolicy) (*domain.DomainPolicy, error) {
@@ -55,7 +55,7 @@ func (c *Commands) ChangeOrgDomainPolicy(ctx context.Context, resourceOwner stri
 	}

 	orgAgg := OrgAggregateFromWriteModel(&existingPolicy.PolicyDomainWriteModel.WriteModel)
-	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, orgAgg, policy.UserLoginMustBeDomain)
+	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, orgAgg, policy.UserLoginMustBeDomain, policy.ValidateOrgDomains)
 	if !hasChanged {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "ORG-3M9ds", "Errors.Org.LabelPolicy.NotChanged")
 	}
--- a/internal/command/org_policy_domain_model.go
+++ b/internal/command/org_policy_domain_model.go
@@ -56,11 +56,15 @@ func (wm *OrgDomainPolicyWriteModel) Query() *eventstore.SearchQueryBuilder {
 func (wm *OrgDomainPolicyWriteModel) NewChangedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
-	userLoginMustBeDomain bool) (*org.DomainPolicyChangedEvent, bool) {
-	changes := make([]policy.OrgPolicyChanges, 0)
+	userLoginMustBeDomain,
+	validateOrgDomains bool) (*org.DomainPolicyChangedEvent, bool) {
+	changes := make([]policy.DomainPolicyChanges, 0)
 	if wm.UserLoginMustBeDomain != userLoginMustBeDomain {
 		changes = append(changes, policy.ChangeUserLoginMustBeDomain(userLoginMustBeDomain))
 	}
+	if wm.ValidateOrgDomains != validateOrgDomains {
+		changes = append(changes, policy.ChangeValidateOrgDomains(validateOrgDomains))
+	}
 	if len(changes) == 0 {
 		return nil, false
 	}
--- a/internal/command/org_policy_domain_test.go
+++ b/internal/command/org_policy_domain_test.go
@@ -45,6 +45,7 @@ func TestCommandSide_AddDomainPolicy(t *testing.T) {
 				ctx: context.Background(),
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
+					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@@ -61,6 +62,7 @@ func TestCommandSide_AddDomainPolicy(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -71,6 +73,7 @@ func TestCommandSide_AddDomainPolicy(t *testing.T) {
 				orgID: "org1",
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
+					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@@ -89,6 +92,7 @@ func TestCommandSide_AddDomainPolicy(t *testing.T) {
 								org.NewDomainPolicyAddedEvent(context.Background(),
 									&org.NewAggregate("org1", "org1").Aggregate,
 									true,
+									true,
 								),
 							),
 						},
@@ -100,6 +104,7 @@ func TestCommandSide_AddDomainPolicy(t *testing.T) {
 				orgID: "org1",
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
+					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@@ -109,6 +114,7 @@ func TestCommandSide_AddDomainPolicy(t *testing.T) {
 						ResourceOwner: "org1",
 					},
 					UserLoginMustBeDomain: true,
+					ValidateOrgDomains:    true,
 				},
 			},
 		},
@@ -162,6 +168,7 @@ func TestCommandSide_ChangeDomainPolicy(t *testing.T) {
 				ctx: context.Background(),
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
+					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@@ -181,6 +188,7 @@ func TestCommandSide_ChangeDomainPolicy(t *testing.T) {
 				orgID: "org1",
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
+					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@@ -197,6 +205,7 @@ func TestCommandSide_ChangeDomainPolicy(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -207,6 +216,7 @@ func TestCommandSide_ChangeDomainPolicy(t *testing.T) {
 				orgID: "org1",
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
+					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@@ -223,13 +233,14 @@ func TestCommandSide_ChangeDomainPolicy(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
-								newDomainPolicyChangedEvent(context.Background(), "org1", false),
+								newDomainPolicyChangedEvent(context.Background(), "org1", false, false),
 							),
 						},
 					),
@@ -240,6 +251,7 @@ func TestCommandSide_ChangeDomainPolicy(t *testing.T) {
 				orgID: "org1",
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: false,
+					ValidateOrgDomains:    false,
 				},
 			},
 			res: res{
@@ -249,6 +261,7 @@ func TestCommandSide_ChangeDomainPolicy(t *testing.T) {
 						ResourceOwner: "org1",
 					},
 					UserLoginMustBeDomain: false,
+					ValidateOrgDomains:    false,
 				},
 			},
 		},
@@ -330,6 +343,7 @@ func TestCommandSide_RemoveDomainPolicy(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -370,11 +384,12 @@ func TestCommandSide_RemoveDomainPolicy(t *testing.T) {
 	}
 }

-func newDomainPolicyChangedEvent(ctx context.Context, orgID string, userLoginMustBeDomain bool) *org.DomainPolicyChangedEvent {
+func newDomainPolicyChangedEvent(ctx context.Context, orgID string, userLoginMustBeDomain, validateOrgDomains bool) *org.DomainPolicyChangedEvent {
 	event, _ := org.NewDomainPolicyChangedEvent(ctx,
 		&org.NewAggregate(orgID, orgID).Aggregate,
-		[]policy.OrgPolicyChanges{
+		[]policy.DomainPolicyChanges{
 			policy.ChangeUserLoginMustBeDomain(userLoginMustBeDomain),
+			policy.ChangeValidateOrgDomains(validateOrgDomains),
 		},
 	)
 	return event
--- a/internal/command/policy_org_model.go
+++ b/internal/command/policy_org_model.go
@@ -10,6 +10,7 @@ type PolicyDomainWriteModel struct {
 	eventstore.WriteModel

 	UserLoginMustBeDomain bool
+	ValidateOrgDomains    bool
 	State                 domain.PolicyState
 }

@@ -18,11 +19,15 @@ func (wm *PolicyDomainWriteModel) Reduce() error {
 		switch e := event.(type) {
 		case *policy.DomainPolicyAddedEvent:
 			wm.UserLoginMustBeDomain = e.UserLoginMustBeDomain
+			wm.ValidateOrgDomains = e.ValidateOrgDomains
 			wm.State = domain.PolicyStateActive
 		case *policy.DomainPolicyChangedEvent:
 			if e.UserLoginMustBeDomain != nil {
 				wm.UserLoginMustBeDomain = *e.UserLoginMustBeDomain
 			}
+			if e.ValidateOrgDomains != nil {
+				wm.ValidateOrgDomains = *e.ValidateOrgDomains
+			}
 		}
 	}
 	return wm.WriteModel.Reduce()
--- a/internal/command/user_domain_policy_test.go
+++ b/internal/command/user_domain_policy_test.go
@@ -53,6 +53,7 @@ func Test_customDomainPolicy(t *testing.T) {
 							context.Background(),
 							&org.NewAggregate("id", "ro").Aggregate,
 							true,
+							true,
 						),
 					}, nil
 				},
@@ -64,6 +65,7 @@ func Test_customDomainPolicy(t *testing.T) {
 					Events:        []eventstore.Event{},
 				},
 				UserLoginMustBeDomain: true,
+				ValidateOrgDomains:    true,
 				State:                 domain.PolicyStateActive,
 			},
 			wantErr: false,
@@ -122,6 +124,7 @@ func Test_defaultDomainPolicy(t *testing.T) {
 							context.Background(),
 							&instance.NewAggregate("INSTANCE").Aggregate,
 							true,
+							true,
 						),
 					}, nil
 				},
@@ -133,6 +136,7 @@ func Test_defaultDomainPolicy(t *testing.T) {
 					Events:        []eventstore.Event{},
 				},
 				UserLoginMustBeDomain: true,
+				ValidateOrgDomains:    true,
 				State:                 domain.PolicyStateActive,
 			},
 			wantErr: false,
@@ -181,6 +185,7 @@ func Test_DomainPolicy(t *testing.T) {
 							context.Background(),
 							&org.NewAggregate("id", "ro").Aggregate,
 							true,
+							true,
 						),
 					}, nil
 				},
@@ -192,6 +197,7 @@ func Test_DomainPolicy(t *testing.T) {
 					Events:        []eventstore.Event{},
 				},
 				UserLoginMustBeDomain: true,
+				ValidateOrgDomains:    true,
 				State:                 domain.PolicyStateActive,
 			},
 			wantErr: false,
@@ -224,6 +230,7 @@ func Test_DomainPolicy(t *testing.T) {
 								context.Background(),
 								&instance.NewAggregate("INSTANCE").Aggregate,
 								true,
+								true,
 							),
 						}, nil
 					}).
@@ -236,6 +243,7 @@ func Test_DomainPolicy(t *testing.T) {
 					Events:        []eventstore.Event{},
 				},
 				UserLoginMustBeDomain: true,
+				ValidateOrgDomains:    true,
 				State:                 domain.PolicyStateActive,
 			},
 			wantErr: false,
--- a/internal/command/user_human_otp_test.go
+++ b/internal/command/user_human_otp_test.go
@@ -179,6 +179,7 @@ func TestCommandSide_AddHumanOTP(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
--- a/internal/command/user_human_test.go
+++ b/internal/command/user_human_test.go
@@ -112,6 +112,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&userAgg.Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -167,6 +168,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&userAgg.Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -282,6 +284,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -398,6 +401,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&userAgg.Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -493,6 +497,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&userAgg.Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -575,6 +580,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&userAgg.Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -793,6 +799,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -828,6 +835,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -869,6 +877,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -957,6 +966,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -1039,6 +1049,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -1143,6 +1154,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -1251,6 +1263,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -1355,6 +1368,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -1556,6 +1570,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -1594,6 +1609,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -1640,6 +1656,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -1702,6 +1719,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -1764,6 +1782,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								false,
+								true,
 							),
 						),
 					),
@@ -1843,6 +1862,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								false,
+								true,
 							),
 						),
 					),
@@ -1980,6 +2000,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -2085,6 +2106,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("org1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -2184,6 +2206,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -2305,6 +2328,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -2875,6 +2899,7 @@ func TestAddHumanCommand(t *testing.T) {
 								context.Background(),
 								&org.NewAggregate("id", "ro").Aggregate,
 								true,
+								true,
 							),
 						}, nil
 					}).
@@ -2917,6 +2942,7 @@ func TestAddHumanCommand(t *testing.T) {
 								context.Background(),
 								&org.NewAggregate("id", "ro").Aggregate,
 								true,
+								true,
 							),
 						}, nil
 					}).
--- a/internal/command/user_machine_test.go
+++ b/internal/command/user_machine_test.go
@@ -86,6 +86,7 @@ func TestCommandSide_AddMachine(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								false,
+								true,
 							),
 						),
 					),
@@ -113,6 +114,7 @@ func TestCommandSide_AddMachine(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
--- a/internal/command/user_test.go
+++ b/internal/command/user_test.go
@@ -207,6 +207,7 @@ func TestCommandSide_UsernameChange(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -249,6 +250,7 @@ func TestCommandSide_UsernameChange(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -1032,6 +1034,7 @@ func TestCommandSide_RemoveUser(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -1096,6 +1099,7 @@ func TestCommandSide_RemoveUser(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),
@@ -1153,6 +1157,7 @@ func TestCommandSide_RemoveUser(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
+								true,
 							),
 						),
 					),