fix: check login policy state for idp policy mgmt (#2384)

internal/command/iam_policy_login.go

@@ -2,6 +2,7 @@ package command
 
 import (
 	"context"
+
 	"github.com/caos/logging"
 	"github.com/caos/zitadel/internal/domain"
 	caos_errs "github.com/caos/zitadel/internal/errors"
@@ -88,7 +89,16 @@ func (c *Commands) AddIDPProviderToDefaultLoginPolicy(ctx context.Context, idpPr
 	if !idpProvider.IsValid() {
 		return nil, caos_errs.ThrowInvalidArgument(nil, "IAM-9nf88", "Errors.IAM.LoginPolicy.IDP.Invalid")
 	}
-	_, err := c.getIAMIDPConfigByID(ctx, idpProvider.IDPConfigID)
+	existingPolicy := NewIAMLoginPolicyWriteModel()
+	err := c.defaultLoginPolicyWriteModelByID(ctx, existingPolicy)
+	if err != nil {
+		return nil, err
+	}
+	if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved {
+		return nil, caos_errs.ThrowNotFound(nil, "IAM-GVDfe", "Errors.IAM.LoginPolicy.NotFound")
+	}
+
+	_, err = c.getIAMIDPConfigByID(ctx, idpProvider.IDPConfigID)
 	if err != nil {
 		return nil, caos_errs.ThrowPreconditionFailed(err, "IAM-m8fsd", "Errors.IDPConfig.NotExisting")
 	}
@@ -117,8 +127,17 @@ func (c *Commands) RemoveIDPProviderFromDefaultLoginPolicy(ctx context.Context,
 	if !idpProvider.IsValid() {
 		return nil, caos_errs.ThrowInvalidArgument(nil, "IAM-66m9s", "Errors.IAM.LoginPolicy.IDP.Invalid")
 	}
+	existingPolicy := NewIAMLoginPolicyWriteModel()
+	err := c.defaultLoginPolicyWriteModelByID(ctx, existingPolicy)
+	if err != nil {
+		return nil, err
+	}
+	if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved {
+		return nil, caos_errs.ThrowNotFound(nil, "IAM-Dfg4t", "Errors.IAM.LoginPolicy.NotFound")
+	}
+
 	idpModel := NewIAMIdentityProviderWriteModel(idpProvider.IDPConfigID)
-	err := c.eventstore.FilterToQueryReducer(ctx, idpModel)
+	err = c.eventstore.FilterToQueryReducer(ctx, idpModel)
 	if err != nil {
 		return nil, err
 	}

internal/command/iam_policy_login_test.go

@@ -313,11 +313,42 @@ func TestCommandSide_AddIDPProviderDefaultLoginPolicy(t *testing.T) {
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
+		{
+			name: "policy not existing, not found error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(),
+				),
+			},
+			args: args{
+				ctx: context.Background(),
+				provider: &domain.IDPProvider{
+					IDPConfigID: "config1",
+				},
+			},
+			res: res{
+				err: caos_errs.IsNotFound,
+			},
+		},
 		{
 			name: "config not existing, precondition error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(
+						eventFromEventPusher(
+							iam.NewLoginPolicyAddedEvent(context.Background(),
+								&iam.NewAggregate().Aggregate,
+								true,
+								true,
+								true,
+								true,
+								true,
+								domain.PasswordlessTypeAllowed,
+							),
+						),
+					),
 					expectFilter(),
 				),
 			},
@@ -336,6 +367,19 @@ func TestCommandSide_AddIDPProviderDefaultLoginPolicy(t *testing.T) {
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(
+						eventFromEventPusher(
+							iam.NewLoginPolicyAddedEvent(context.Background(),
+								&iam.NewAggregate().Aggregate,
+								true,
+								true,
+								true,
+								true,
+								true,
+								domain.PasswordlessTypeAllowed,
+							),
+						),
+					),
 					expectFilter(
 						eventFromEventPusher(
 							iam.NewIDPConfigAddedEvent(context.Background(),
@@ -349,17 +393,6 @@ func TestCommandSide_AddIDPProviderDefaultLoginPolicy(t *testing.T) {
 						),
 					),
 					expectFilter(
-						eventFromEventPusher(
-							iam.NewLoginPolicyAddedEvent(context.Background(),
-								&iam.NewAggregate().Aggregate,
-								true,
-								true,
-								true,
-								true,
-								true,
-								domain.PasswordlessTypeAllowed,
-							),
-						),
 						eventFromEventPusher(
 							iam.NewIdentityProviderAddedEvent(context.Background(),
 								&iam.NewAggregate().Aggregate,
@@ -384,6 +417,19 @@ func TestCommandSide_AddIDPProviderDefaultLoginPolicy(t *testing.T) {
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(
+						eventFromEventPusher(
+							iam.NewLoginPolicyAddedEvent(context.Background(),
+								&iam.NewAggregate().Aggregate,
+								true,
+								true,
+								true,
+								true,
+								true,
+								domain.PasswordlessTypeAllowed,
+							),
+						),
+					),
 					expectFilter(
 						eventFromEventPusher(
 							iam.NewIDPConfigAddedEvent(context.Background(),
@@ -478,11 +524,42 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) {
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
+		{
+			name: "login policy not existing, not found error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(),
+				),
+			},
+			args: args{
+				ctx: context.Background(),
+				provider: &domain.IDPProvider{
+					IDPConfigID: "config1",
+				},
+			},
+			res: res{
+				err: caos_errs.IsNotFound,
+			},
+		},
 		{
 			name: "provider not existing, not found error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(
+						eventFromEventPusher(
+							iam.NewLoginPolicyAddedEvent(context.Background(),
+								&iam.NewAggregate().Aggregate,
+								true,
+								true,
+								true,
+								true,
+								true,
+								domain.PasswordlessTypeAllowed,
+							),
+						),
+					),
 					expectFilter(),
 				),
 			},
@@ -513,6 +590,8 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) {
 								domain.PasswordlessTypeAllowed,
 							),
 						),
+					),
+					expectFilter(
 						eventFromEventPusher(
 							iam.NewIdentityProviderAddedEvent(context.Background(),
 								&iam.NewAggregate().Aggregate,
@@ -555,6 +634,8 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) {
 								domain.PasswordlessTypeAllowed,
 							),
 						),
+					),
+					expectFilter(
 						eventFromEventPusher(
 							iam.NewIdentityProviderAddedEvent(context.Background(),
 								&iam.NewAggregate().Aggregate,
@@ -602,6 +683,8 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) {
 								domain.PasswordlessTypeAllowed,
 							),
 						),
+					),
+					expectFilter(
 						eventFromEventPusher(
 							iam.NewIdentityProviderAddedEvent(context.Background(),
 								&iam.NewAggregate().Aggregate,
@@ -657,6 +740,8 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) {
 								domain.PasswordlessTypeAllowed,
 							),
 						),
+					),
+					expectFilter(
 						eventFromEventPusher(
 							iam.NewIdentityProviderAddedEvent(context.Background(),
 								&iam.NewAggregate().Aggregate,

internal/command/org_policy_login.go

@@ -165,7 +165,14 @@ func (c *Commands) AddIDPProviderToLoginPolicy(ctx context.Context, resourceOwne
 	if !idpProvider.IsValid() {
 		return nil, caos_errs.ThrowInvalidArgument(nil, "Org-9nf88", "Errors.Org.LoginPolicy.IDP.")
 	}
-	var err error
+	existingPolicy, err := c.orgLoginPolicyWriteModelByID(ctx, resourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved {
+		return nil, caos_errs.ThrowNotFound(nil, "Org-Ffgw2", "Errors.Org.LoginPolicy.NotFound")
+	}
+
 	if idpProvider.Type == domain.IdentityProviderTypeOrg {
 		_, err = c.getOrgIDPConfigByID(ctx, idpProvider.IDPConfigID, resourceOwner)
 	} else {
@@ -202,8 +209,16 @@ func (c *Commands) RemoveIDPProviderFromLoginPolicy(ctx context.Context, resourc
 	if !idpProvider.IsValid() {
 		return nil, caos_errs.ThrowInvalidArgument(nil, "Org-66m9s", "Errors.Org.LoginPolicy.IDP.Invalid")
 	}
+	existingPolicy, err := c.orgLoginPolicyWriteModelByID(ctx, resourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved {
+		return nil, caos_errs.ThrowNotFound(nil, "Org-GVDfe", "Errors.Org.LoginPolicy.NotFound")
+	}
+
 	idpModel := NewOrgIdentityProviderWriteModel(resourceOwner, idpProvider.IDPConfigID)
-	err := c.eventstore.FilterToQueryReducer(ctx, idpModel)
+	err = c.eventstore.FilterToQueryReducer(ctx, idpModel)
 	if err != nil {
 		return nil, err
 	}

internal/command/org_policy_login_test.go

@@ -625,11 +625,45 @@ func TestCommandSide_AddIDPProviderLoginPolicy(t *testing.T) {
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
+		{
+			name: "policy not existing, not found error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(),
+				),
+			},
+			args: args{
+				ctx:           context.Background(),
+				resourceOwner: "org1",
+				provider: &domain.IDPProvider{
+					IDPConfigID: "config1",
+					Name:        "name",
+					Type:        domain.IdentityProviderTypeOrg,
+				},
+			},
+			res: res{
+				err: caos_errs.IsNotFound,
+			},
+		},
 		{
 			name: "config not existing, precondition error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(
+						eventFromEventPusher(
+							org.NewLoginPolicyAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								true,
+								true,
+								true,
+								true,
+								true,
+								domain.PasswordlessTypeAllowed,
+							),
+						),
+					),
 					expectFilter(),
 				),
 			},
@@ -651,6 +685,19 @@ func TestCommandSide_AddIDPProviderLoginPolicy(t *testing.T) {
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(
+						eventFromEventPusher(
+							org.NewLoginPolicyAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								true,
+								true,
+								true,
+								true,
+								true,
+								domain.PasswordlessTypeAllowed,
+							),
+						),
+					),
 					expectFilter(
 						eventFromEventPusher(
 							org.NewIDPConfigAddedEvent(context.Background(),
@@ -664,17 +711,6 @@ func TestCommandSide_AddIDPProviderLoginPolicy(t *testing.T) {
 						),
 					),
 					expectFilter(
-						eventFromEventPusher(
-							org.NewLoginPolicyAddedEvent(context.Background(),
-								&org.NewAggregate("org1", "org1").Aggregate,
-								true,
-								true,
-								true,
-								true,
-								true,
-								domain.PasswordlessTypeAllowed,
-							),
-						),
 						eventFromEventPusher(
 							org.NewIdentityProviderAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "or1").Aggregate,
@@ -703,6 +739,19 @@ func TestCommandSide_AddIDPProviderLoginPolicy(t *testing.T) {
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(
+						eventFromEventPusher(
+							org.NewLoginPolicyAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								true,
+								true,
+								true,
+								true,
+								true,
+								domain.PasswordlessTypeAllowed,
+							),
+						),
+					),
 					expectFilter(
 						eventFromEventPusher(
 							org.NewIDPConfigAddedEvent(context.Background(),
@@ -823,11 +872,43 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) {
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
+		{
+			name: "login policy not exist, not found error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(),
+				),
+			},
+			args: args{
+				ctx:           context.Background(),
+				resourceOwner: "org1",
+				provider: &domain.IDPProvider{
+					IDPConfigID: "config1",
+				},
+			},
+			res: res{
+				err: caos_errs.IsNotFound,
+			},
+		},
 		{
 			name: "provider not existing, not found error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(
+						eventFromEventPusher(
+							org.NewLoginPolicyAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								true,
+								true,
+								true,
+								true,
+								true,
+								domain.PasswordlessTypeAllowed,
+							),
+						),
+					),
 					expectFilter(),
 				),
 			},
@@ -861,6 +942,8 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) {
 								domain.PasswordlessTypeAllowed,
 							),
 						),
+					),
+					expectFilter(
 						eventFromEventPusher(
 							org.NewIdentityProviderAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
@@ -905,6 +988,8 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) {
 								domain.PasswordlessTypeAllowed,
 							),
 						),
+					),
+					expectFilter(
 						eventFromEventPusher(
 							org.NewIdentityProviderAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
@@ -956,6 +1041,8 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) {
 								domain.PasswordlessTypeAllowed,
 							),
 						),
+					),
+					expectFilter(
 						eventFromEventPusher(
 							org.NewIdentityProviderAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
@@ -1015,6 +1102,8 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) {
 								domain.PasswordlessTypeAllowed,
 							),
 						),
+					),
+					expectFilter(
 						eventFromEventPusher(
 							org.NewIdentityProviderAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,

internal/org/repository/eventsourcing/model/login_policy.go

@@ -30,6 +30,9 @@ func (o *Org) appendAddIdpProviderToLoginPolicyEvent(event *es_models.Event) err
 		return err
 	}
 	provider.ObjectRoot.CreationDate = event.CreationDate
+	if o.LoginPolicy == nil {
+		return nil
+	}
 	o.LoginPolicy.IDPProviders = append(o.LoginPolicy.IDPProviders, provider)
 	return nil
 }
@@ -40,6 +43,9 @@ func (o *Org) appendRemoveIdpProviderFromLoginPolicyEvent(event *es_models.Event
 	if err != nil {
 		return err
 	}
+	if o.LoginPolicy == nil {
+		return nil
+	}
 	if i, m := iam_es_model.GetIDPProvider(o.LoginPolicy.IDPProviders, provider.IDPConfigID); m != nil {
 		o.LoginPolicy.IDPProviders[i] = o.LoginPolicy.IDPProviders[len(o.LoginPolicy.IDPProviders)-1]
 		o.LoginPolicy.IDPProviders[len(o.LoginPolicy.IDPProviders)-1] = nil