feat: V2 alpha import and export of organizations (#3798)

* feat(import): add functionality to import data into an instance

* feat(import): move import to admin api and additional checks for nil pointer

* fix(export): export implementation with filtered members and grants

* fix: export and import implementation

* fix: add possibility to export hashed passwords with the user

* fix(import): import with structure of v1 and v2

* docs: add v1 proto

* fix(import): check im imported user is already existing

* fix(import): add otp import function

* fix(import): add external idps, domains, custom text and messages

* fix(import): correct usage of default values from login policy

* fix(export): fix renaming of add project function

* fix(import): move checks for unit tests

* expect filter

* fix(import): move checks for unit tests

* fix(import): move checks for unit tests

* fix(import): produce prerelease from branch

* fix(import): correctly use provided user id for machine user imports

* fix(import): corrected otp import and added guide for export and import

* fix: import verified and primary domains

* fix(import): add reading from gcs, s3 and localfile with tracing

* fix(import): gcs and s3, file size correction and error logging

* Delete docker-compose.yml

* fix(import): progress logging and count of resources

* fix(import): progress logging and count of resources

* log subscription

* fix(import): incorporate review

* fix(import): incorporate review

* docs: add suggestion for import

Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>

* fix(import): add verification otp event and handling of deleted but existing users

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Fabienne <fabienne.gerschwiler@gmail.com>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>

internal/query/user_password.go

@@ -0,0 +1,140 @@
+package query
+
+import (
+	"context"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/user"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+	"time"
+)
+
+type HumanPasswordWriteModel struct {
+	eventstore.WriteModel
+
+	Secret               *crypto.CryptoValue
+	SecretChangeRequired bool
+
+	Code                     *crypto.CryptoValue
+	CodeCreationDate         time.Time
+	CodeExpiry               time.Duration
+	PasswordCheckFailedCount uint64
+
+	UserState domain.UserState
+}
+
+func (q *Queries) GetHumanPassword(ctx context.Context, orgID, userID string) (passwordHash []byte, algorithm string, err error) {
+	if userID == "" {
+		return nil, "", caos_errs.ThrowInvalidArgument(nil, "QUERY-4Mfsf", "Errors.User.UserIDMissing")
+	}
+	existingPassword, err := q.passwordWriteModel(ctx, userID, orgID)
+	if err != nil {
+		return nil, "", caos_errs.ThrowInternal(nil, "QUERY-p1k1n2i", "Errors.User.NotFound")
+	}
+	if existingPassword.UserState == domain.UserStateUnspecified || existingPassword.UserState == domain.UserStateDeleted {
+		return nil, "", caos_errs.ThrowPreconditionFailed(nil, "QUERY-3n77z", "Errors.User.NotFound")
+	}
+
+	if existingPassword.Secret != nil && existingPassword.Secret.Crypted != nil {
+		return existingPassword.Secret.Crypted, existingPassword.Secret.Algorithm, nil
+	}
+
+	return nil, "", nil
+}
+
+func (q *Queries) passwordWriteModel(ctx context.Context, userID, resourceOwner string) (writeModel *HumanPasswordWriteModel, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	writeModel = NewHumanPasswordWriteModel(userID, resourceOwner)
+	err = q.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}
+
+func NewHumanPasswordWriteModel(userID, resourceOwner string) *HumanPasswordWriteModel {
+	return &HumanPasswordWriteModel{
+		WriteModel: eventstore.WriteModel{
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
+		},
+	}
+}
+
+func (wm *HumanPasswordWriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *user.HumanAddedEvent:
+			wm.Secret = e.Secret
+			wm.SecretChangeRequired = e.ChangeRequired
+			wm.UserState = domain.UserStateActive
+		case *user.HumanRegisteredEvent:
+			wm.Secret = e.Secret
+			wm.SecretChangeRequired = e.ChangeRequired
+			wm.UserState = domain.UserStateActive
+		case *user.HumanInitialCodeAddedEvent:
+			wm.UserState = domain.UserStateInitial
+		case *user.HumanInitializedCheckSucceededEvent:
+			wm.UserState = domain.UserStateActive
+		case *user.HumanPasswordChangedEvent:
+			wm.Secret = e.Secret
+			wm.SecretChangeRequired = e.ChangeRequired
+			wm.Code = nil
+			wm.PasswordCheckFailedCount = 0
+		case *user.HumanPasswordCodeAddedEvent:
+			wm.Code = e.Code
+			wm.CodeCreationDate = e.CreationDate()
+			wm.CodeExpiry = e.Expiry
+		case *user.HumanEmailVerifiedEvent:
+			if wm.UserState == domain.UserStateInitial {
+				wm.UserState = domain.UserStateActive
+			}
+		case *user.HumanPasswordCheckFailedEvent:
+			wm.PasswordCheckFailedCount += 1
+		case *user.HumanPasswordCheckSucceededEvent:
+			wm.PasswordCheckFailedCount = 0
+		case *user.UserUnlockedEvent:
+			wm.PasswordCheckFailedCount = 0
+		case *user.UserRemovedEvent:
+			wm.UserState = domain.UserStateDeleted
+		}
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *HumanPasswordWriteModel) Query() *eventstore.SearchQueryBuilder {
+	query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
+		AddQuery().
+		AggregateTypes(user.AggregateType).
+		AggregateIDs(wm.AggregateID).
+		EventTypes(user.HumanAddedType,
+			user.HumanRegisteredType,
+			user.HumanInitialCodeAddedType,
+			user.HumanInitializedCheckSucceededType,
+			user.HumanPasswordChangedType,
+			user.HumanPasswordCodeAddedType,
+			user.HumanEmailVerifiedType,
+			user.HumanPasswordCheckFailedType,
+			user.HumanPasswordCheckSucceededType,
+			user.UserRemovedType,
+			user.UserUnlockedType,
+			user.UserV1AddedType,
+			user.UserV1RegisteredType,
+			user.UserV1InitialCodeAddedType,
+			user.UserV1InitializedCheckSucceededType,
+			user.UserV1PasswordChangedType,
+			user.UserV1PasswordCodeAddedType,
+			user.UserV1EmailVerifiedType,
+			user.UserV1PasswordCheckFailedType,
+			user.UserV1PasswordCheckSucceededType).
+		Builder()
+
+	if wm.ResourceOwner != "" {
+		query.ResourceOwner(wm.ResourceOwner)
+	}
+	return query
+}