fix: move v2 pkgs (#1331)

* fix: move eventstore pkgs

* fix: move eventstore pkgs

* fix: remove v2 view

* fix: remove v2 view

internal/domain/application.go

@@ -0,0 +1,38 @@
+package domain
+
+type Application interface {
+	GetAppID() string
+	GetApplicationName() string
+	GetState() AppState
+}
+
+type AppState int32
+
+const (
+	AppStateUnspecified AppState = iota
+	AppStateActive
+	AppStateInactive
+	AppStateRemoved
+)
+
+func (a AppState) Exists() bool {
+	return !(a == AppStateUnspecified || a == AppStateRemoved)
+}
+
+type ChangeApp struct {
+	AppID   string
+	AppName string
+	State   AppState
+}
+
+func (a *ChangeApp) GetAppID() string {
+	return a.AppID
+}
+
+func (a *ChangeApp) GetApplicationName() string {
+	return a.AppName
+}
+
+func (a *ChangeApp) GetState() AppState {
+	return a.State
+}

internal/domain/application_api.go

@@ -0,0 +1,61 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+type APIApp struct {
+	models.ObjectRoot
+
+	AppID              string
+	AppName            string
+	ClientID           string
+	ClientSecret       *crypto.CryptoValue
+	ClientSecretString string
+	AuthMethodType     APIAuthMethodType
+
+	State AppState
+}
+
+func (a *APIApp) GetApplicationName() string {
+	return a.AppName
+}
+
+func (a *APIApp) GetState() AppState {
+	return a.State
+}
+
+type APIAuthMethodType int32
+
+const (
+	APIAuthMethodTypeBasic APIAuthMethodType = iota
+	APIAuthMethodTypePrivateKeyJWT
+)
+
+func (a *APIApp) IsValid() bool {
+	return true
+}
+
+func (a *APIApp) setClientID(clientID string) {
+	a.ClientID = clientID
+}
+
+func (a *APIApp) setClientSecret(clientSecret *crypto.CryptoValue) {
+	a.ClientSecret = clientSecret
+}
+
+func (a *APIApp) requiresClientSecret() bool {
+	return a.AuthMethodType == APIAuthMethodTypeBasic
+}
+
+func (a *APIApp) GenerateClientSecretIfNeeded(generator crypto.Generator) (secret string, err error) {
+	if a.AuthMethodType == APIAuthMethodTypePrivateKeyJWT {
+		return "", nil
+	}
+	a.ClientSecret, secret, err = NewClientSecret(generator)
+	if err != nil {
+		return "", err
+	}
+	return secret, nil
+}

internal/domain/application_key.go

@@ -0,0 +1,60 @@
+package domain
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+type ApplicationKey struct {
+	models.ObjectRoot
+
+	ApplicationID  string
+	ClientID       string
+	KeyID          string
+	Type           AuthNKeyType
+	ExpirationDate time.Time
+	PrivateKey     []byte
+	PublicKey      []byte
+}
+
+func (k *ApplicationKey) setPublicKey(publicKey []byte) {
+	k.PublicKey = publicKey
+}
+
+func (k *ApplicationKey) setPrivateKey(privateKey []byte) {
+	k.PrivateKey = privateKey
+}
+
+func (k *ApplicationKey) expirationDate() time.Time {
+	return k.ExpirationDate
+}
+
+func (k *ApplicationKey) setExpirationDate(expiration time.Time) {
+	k.ExpirationDate = expiration
+}
+
+func (k *ApplicationKey) Detail() ([]byte, error) {
+	if k.Type == AuthNKeyTypeJSON {
+		return k.MarshalJSON()
+	}
+	return nil, errors.ThrowPreconditionFailed(nil, "KEY-dsg52", "Errors.Internal")
+}
+
+func (k *ApplicationKey) MarshalJSON() ([]byte, error) {
+	return json.Marshal(struct {
+		Type     string `json:"type"`
+		KeyID    string `json:"keyId"`
+		Key      string `json:"key"`
+		AppID    string `json:"appId"`
+		ClientID string `json:"clientID"`
+	}{
+		Type:     "application",
+		KeyID:    k.KeyID,
+		Key:      string(k.PrivateKey),
+		AppID:    k.ApplicationID,
+		ClientID: k.ClientID,
+	})
+}

internal/domain/application_oauth.go

@@ -0,0 +1,50 @@
+package domain
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/id"
+)
+
+type oAuthApplication interface {
+	setClientID(clientID string)
+	setClientSecret(secret *crypto.CryptoValue)
+	requiresClientSecret() bool
+}
+
+//ClientID random_number@projectname (eg. 495894098234@zitadel)
+func SetNewClientID(a oAuthApplication, idGenerator id.Generator, project *Project) error {
+	rndID, err := idGenerator.Next()
+	if err != nil {
+		return err
+	}
+
+	a.setClientID(fmt.Sprintf("%v@%v", rndID, strings.ReplaceAll(strings.ToLower(project.Name), " ", "_")))
+	return nil
+}
+
+func SetNewClientSecretIfNeeded(a oAuthApplication, generator crypto.Generator) (string, error) {
+	if !a.requiresClientSecret() {
+		return "", nil
+	}
+	clientSecret, secretString, err := NewClientSecret(generator)
+	if err != nil {
+		return "", err
+	}
+	a.setClientSecret(clientSecret)
+	return secretString, nil
+}
+
+func NewClientSecret(generator crypto.Generator) (*crypto.CryptoValue, string, error) {
+	cryptoValue, stringSecret, err := crypto.NewCode(generator)
+	if err != nil {
+		logging.Log("MODEL-UpnTI").OnError(err).Error("unable to create client secret")
+		return nil, "", errors.ThrowInternal(err, "MODEL-gH2Wl", "Errors.Project.CouldNotGenerateClientSecret")
+	}
+	return cryptoValue, stringSecret, nil
+}

internal/domain/application_oidc.go

@@ -0,0 +1,299 @@
+package domain
+
+import (
+	"strings"
+	"time"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+const (
+	http           = "http://"
+	httpLocalhost  = "http://localhost:"
+	httpLocalhost2 = "http://localhost/"
+	https          = "https://"
+)
+
+type OIDCApp struct {
+	models.ObjectRoot
+
+	AppID                    string
+	AppName                  string
+	ClientID                 string
+	ClientSecret             *crypto.CryptoValue
+	ClientSecretString       string
+	RedirectUris             []string
+	ResponseTypes            []OIDCResponseType
+	GrantTypes               []OIDCGrantType
+	ApplicationType          OIDCApplicationType
+	AuthMethodType           OIDCAuthMethodType
+	PostLogoutRedirectUris   []string
+	OIDCVersion              OIDCVersion
+	Compliance               *Compliance
+	DevMode                  bool
+	AccessTokenType          OIDCTokenType
+	AccessTokenRoleAssertion bool
+	IDTokenRoleAssertion     bool
+	IDTokenUserinfoAssertion bool
+	ClockSkew                time.Duration
+
+	State AppState
+}
+
+func (h OIDCApp) GetApplicationName() string {
+	return h.AppName
+}
+
+func (h OIDCApp) GetState() AppState {
+	return h.State
+}
+
+func (h OIDCApp) setClientID(clientID string) {
+	h.ClientID = clientID
+}
+
+func (h OIDCApp) setClientSecret(clientSecret *crypto.CryptoValue) {
+	h.ClientSecret = clientSecret
+}
+
+func (h OIDCApp) requiresClientSecret() bool {
+	return h.AuthMethodType == OIDCAuthMethodTypeBasic || h.AuthMethodType == OIDCAuthMethodTypePost
+}
+
+type OIDCVersion int32
+
+const (
+	OIDCVersionV1 OIDCVersion = iota
+)
+
+type OIDCResponseType int32
+
+const (
+	OIDCResponseTypeCode OIDCResponseType = iota
+	OIDCResponseTypeIDToken
+	OIDCResponseTypeIDTokenToken
+)
+
+type OIDCGrantType int32
+
+const (
+	OIDCGrantTypeAuthorizationCode OIDCGrantType = iota
+	OIDCGrantTypeImplicit
+	OIDCGrantTypeRefreshToken
+)
+
+type OIDCApplicationType int32
+
+const (
+	OIDCApplicationTypeWeb OIDCApplicationType = iota
+	OIDCApplicationTypeUserAgent
+	OIDCApplicationTypeNative
+)
+
+type OIDCAuthMethodType int32
+
+const (
+	OIDCAuthMethodTypeBasic OIDCAuthMethodType = iota
+	OIDCAuthMethodTypePost
+	OIDCAuthMethodTypeNone
+	OIDCAuthMethodTypePrivateKeyJWT
+)
+
+type Compliance struct {
+	NoneCompliant bool
+	Problems      []string
+}
+
+type OIDCTokenType int32
+
+const (
+	OIDCTokenTypeBearer OIDCTokenType = iota
+	OIDCTokenTypeJWT
+)
+
+func (c *OIDCApp) IsValid() bool {
+	grantTypes := c.getRequiredGrantTypes()
+	for _, grantType := range grantTypes {
+		ok := containsOIDCGrantType(c.GrantTypes, grantType)
+		if !ok {
+			return false
+		}
+	}
+	return true
+}
+
+func (c *OIDCApp) getRequiredGrantTypes() []OIDCGrantType {
+	grantTypes := make([]OIDCGrantType, 0)
+	implicit := false
+	for _, r := range c.ResponseTypes {
+		switch r {
+		case OIDCResponseTypeCode:
+			grantTypes = append(grantTypes, OIDCGrantTypeAuthorizationCode)
+		case OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken:
+			if !implicit {
+				implicit = true
+				grantTypes = append(grantTypes, OIDCGrantTypeImplicit)
+			}
+		}
+	}
+	return grantTypes
+}
+
+func containsOIDCGrantType(grantTypes []OIDCGrantType, grantType OIDCGrantType) bool {
+	for _, gt := range grantTypes {
+		if gt == grantType {
+			return true
+		}
+	}
+	return false
+}
+
+func (c *OIDCApp) FillCompliance() {
+	c.Compliance = GetOIDCCompliance(c.OIDCVersion, c.ApplicationType, c.GrantTypes, c.ResponseTypes, c.AuthMethodType, c.RedirectUris)
+}
+
+func GetOIDCCompliance(version OIDCVersion, appType OIDCApplicationType, grantTypes []OIDCGrantType, responseTypes []OIDCResponseType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
+	switch version {
+	case OIDCVersionV1:
+		return GetOIDCV1Compliance(appType, grantTypes, authMethod, redirectUris)
+	}
+	return nil
+}
+
+func GetOIDCV1Compliance(appType OIDCApplicationType, grantTypes []OIDCGrantType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
+	compliance := &Compliance{NoneCompliant: false}
+	if redirectUris == nil || len(redirectUris) == 0 {
+		compliance.NoneCompliant = true
+		compliance.Problems = append([]string{"Application.OIDC.V1.NoRedirectUris"}, compliance.Problems...)
+	}
+	if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) && containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
+		CheckRedirectUrisImplicitAndCode(compliance, appType, redirectUris)
+	} else {
+		if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) {
+			CheckRedirectUrisImplicit(compliance, appType, redirectUris)
+		}
+		if containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
+			CheckRedirectUrisCode(compliance, appType, redirectUris)
+		}
+	}
+
+	switch appType {
+	case OIDCApplicationTypeNative:
+		GetOIDCV1NativeApplicationCompliance(compliance, authMethod)
+	case OIDCApplicationTypeUserAgent:
+		GetOIDCV1UserAgentApplicationCompliance(compliance, authMethod)
+	}
+	if compliance.NoneCompliant {
+		compliance.Problems = append([]string{"Application.OIDC.V1.NotCompliant"}, compliance.Problems...)
+	}
+	return compliance
+}
+
+func GetOIDCV1NativeApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
+	if authMethod != OIDCAuthMethodTypeNone {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.AuthMethodType.NotNone")
+	}
+}
+
+func GetOIDCV1UserAgentApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
+	if authMethod != OIDCAuthMethodTypeNone {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.UserAgent.AuthMethodType.NotNone")
+	}
+}
+
+func CheckRedirectUrisCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if urlContainsPrefix(redirectUris, http) && appType != OIDCApplicationTypeWeb {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
+	}
+	if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative")
+	}
+}
+
+func CheckRedirectUrisImplicit(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if containsCustom(redirectUris) {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
+	}
+	if urlContainsPrefix(redirectUris, http) {
+		if appType == OIDCApplicationTypeNative {
+			if !onlyLocalhostIsHttp(redirectUris) {
+				compliance.NoneCompliant = true
+				compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost")
+			}
+			return
+		}
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed")
+	}
+}
+
+func CheckRedirectUrisImplicitAndCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
+	}
+	if (urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpLocalhostOnlyForNative")
+	}
+	if urlContainsPrefix(redirectUris, http) && !(urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeWeb {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
+	}
+	if !compliance.NoneCompliant {
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.NotAllCombinationsAreAllowed")
+	}
+}
+
+func urlsAreHttps(uris []string) bool {
+	for _, uri := range uris {
+		if !strings.HasPrefix(uri, https) {
+			return false
+		}
+	}
+	return true
+}
+
+func urlContainsPrefix(uris []string, prefix string) bool {
+	for _, uri := range uris {
+		if strings.HasPrefix(uri, prefix) {
+			return true
+		}
+	}
+	return false
+}
+
+func containsCustom(uris []string) bool {
+	for _, uri := range uris {
+		if !strings.HasPrefix(uri, http) && !strings.HasPrefix(uri, https) {
+			return true
+		}
+	}
+	return false
+}
+
+func onlyLocalhostIsHttp(uris []string) bool {
+	for _, uri := range uris {
+		if strings.HasPrefix(uri, http) {
+			if !strings.HasPrefix(uri, httpLocalhost) && !strings.HasPrefix(uri, httpLocalhost2) {
+				return false
+			}
+		}
+	}
+	return true
+}

internal/domain/auth_request.go

@@ -0,0 +1,150 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/errors"
+	"golang.org/x/text/language"
+	"strings"
+	"time"
+)
+
+type AuthRequest struct {
+	ID            string
+	AgentID       string
+	CreationDate  time.Time
+	ChangeDate    time.Time
+	BrowserInfo   *BrowserInfo
+	ApplicationID string
+	CallbackURI   string
+	TransferState string
+	Prompt        Prompt
+	PossibleLOAs  []LevelOfAssurance
+	UiLocales     []string
+	LoginHint     string
+	MaxAuthAge    uint32
+	Request       Request
+
+	levelOfAssurance    LevelOfAssurance
+	UserID              string
+	LoginName           string
+	DisplayName         string
+	UserOrgID           string
+	RequestedOrgID      string
+	RequestedOrgName    string
+	SelectedIDPConfigID string
+	LinkingUsers        []*ExternalUser
+	PossibleSteps       []NextStep
+	PasswordVerified    bool
+	MFAsVerified        []MFAType
+	Audience            []string
+	AuthTime            time.Time
+	Code                string
+	LoginPolicy         *LoginPolicy
+	AllowedExternalIDPs []*IDPProvider
+}
+
+type ExternalUser struct {
+	IDPConfigID       string
+	ExternalUserID    string
+	DisplayName       string
+	PreferredUsername string
+	FirstName         string
+	LastName          string
+	NickName          string
+	Email             string
+	IsEmailVerified   bool
+	PreferredLanguage language.Tag
+	Phone             string
+	IsPhoneVerified   bool
+}
+
+type Prompt int32
+
+const (
+	PromptUnspecified Prompt = iota
+	PromptNone
+	PromptLogin
+	PromptConsent
+	PromptSelectAccount
+)
+
+type LevelOfAssurance int
+
+const (
+	LevelOfAssuranceNone LevelOfAssurance = iota
+)
+
+type MFAType int
+
+const (
+	MFATypeOTP MFAType = iota
+	MFATypeU2F
+	MFATypeU2FUserVerification
+)
+
+type MFALevel int
+
+const (
+	MFALevelNotSetUp MFALevel = iota
+	MFALevelSecondFactor
+	MFALevelMultiFactor
+	MFALevelMultiFactorCertified
+)
+
+func NewAuthRequestFromType(requestType AuthRequestType) (*AuthRequest, error) {
+	request, ok := authRequestTypeMapping[requestType]
+	if !ok {
+		return nil, errors.ThrowInvalidArgument(nil, "DOMAIN-ds2kl", "invalid request type")
+	}
+	return &AuthRequest{Request: request}, nil
+}
+
+func (a *AuthRequest) WithCurrentInfo(info *BrowserInfo) *AuthRequest {
+	a.BrowserInfo = info
+	return a
+}
+
+func (a *AuthRequest) SetUserInfo(userID, loginName, displayName, userOrgID string) {
+	a.UserID = userID
+	a.LoginName = loginName
+	a.DisplayName = displayName
+	a.UserOrgID = userOrgID
+}
+
+func (a *AuthRequest) MFALevel() MFALevel {
+	return -1
+	//PLANNED: check a.PossibleLOAs (and Prompt Login?)
+}
+
+func (a *AuthRequest) AppendAudIfNotExisting(aud string) {
+	for _, a := range a.Audience {
+		if a == aud {
+			return
+		}
+	}
+	a.Audience = append(a.Audience, aud)
+}
+
+func (a *AuthRequest) GetScopeProjectIDsForAud() []string {
+	projectIDs := make([]string, 0)
+	switch request := a.Request.(type) {
+	case *AuthRequestOIDC:
+		for _, scope := range request.Scopes {
+			if strings.HasPrefix(scope, ProjectIDScope) && strings.HasSuffix(scope, AudSuffix) {
+				projectIDs = append(projectIDs, strings.TrimSuffix(strings.TrimPrefix(scope, ProjectIDScope), AudSuffix))
+			}
+		}
+	}
+	return projectIDs
+}
+
+func (a *AuthRequest) GetScopeOrgPrimaryDomain() string {
+	switch request := a.Request.(type) {
+	case *AuthRequestOIDC:
+		for _, scope := range request.Scopes {
+			if strings.HasPrefix(scope, OrgDomainPrimaryScope) {
+				return strings.TrimPrefix(scope, OrgDomainPrimaryScope)
+			}
+		}
+	}
+	return ""
+}

internal/domain/authn_key.go

@@ -0,0 +1,86 @@
+package domain
+
+import (
+	"time"
+
+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/errors"
+)
+
+var (
+	//most of us won't survive until 12-31-9999 23:59:59, maybe ZITADEL does
+	defaultExpDate = time.Date(9999, time.December, 31, 23, 59, 59, 0, time.UTC)
+)
+
+type AuthNKey interface {
+}
+
+type authNKey interface {
+	setPublicKey([]byte)
+	setPrivateKey([]byte)
+	expirationDate() time.Time
+	setExpirationDate(time.Time)
+}
+
+type AuthNKeyType int32
+
+const (
+	AuthNKeyTypeNONE = iota
+	AuthNKeyTypeJSON
+
+	keyCount
+)
+
+func (k AuthNKeyType) Valid() bool {
+	return k >= 0 && k < keyCount
+}
+
+func (key *MachineKey) GenerateNewMachineKeyPair(keySize int) error {
+	privateKey, publicKey, err := crypto.GenerateKeyPair(keySize)
+	if err != nil {
+		return err
+	}
+	key.PublicKey, err = crypto.PublicKeyToBytes(publicKey)
+	if err != nil {
+		return err
+	}
+	key.PrivateKey = crypto.PrivateKeyToBytes(privateKey)
+	return nil
+}
+
+func EnsureValidExpirationDate(key authNKey) error {
+	if key.expirationDate().IsZero() {
+		key.setExpirationDate(defaultExpDate)
+	}
+	if key.expirationDate().Before(time.Now()) {
+		return errors.ThrowInvalidArgument(nil, "AUTHN-dv3t5", "Errors.AuthNKey.ExpireBeforeNow")
+	}
+	return nil
+}
+
+func SetNewAuthNKeyPair(key authNKey, keySize int) error {
+	privateKey, publicKey, err := NewAuthNKeyPair(keySize)
+	if err != nil {
+		return err
+	}
+	key.setPrivateKey(privateKey)
+	key.setPublicKey(publicKey)
+	return nil
+}
+
+func NewAuthNKeyPair(keySize int) (privateKey, publicKey []byte, err error) {
+	private, public, err := crypto.GenerateKeyPair(keySize)
+	if err != nil {
+		logging.Log("AUTHN-Ud51I").WithError(err).Error("unable to create authn key pair")
+		return nil, nil, errors.ThrowInternal(err, "AUTHN-gdg2l", "Errors.Project.CouldNotGenerateClientSecret")
+	}
+	publicKey, err = crypto.PublicKeyToBytes(public)
+	if err != nil {
+		logging.Log("AUTHN-Dbb35").WithError(err).Error("unable to convert public key")
+		return nil, nil, errors.ThrowInternal(err, "AUTHN-Bne3f", "Errors.Project.CouldNotGenerateClientSecret")
+	}
+	privateKey = crypto.PrivateKeyToBytes(private)
+	return privateKey, publicKey, nil
+}

internal/domain/browser_info.go

@@ -0,0 +1,22 @@
+package domain
+
+import (
+	"net"
+	net_http "net/http"
+
+	http_util "github.com/caos/zitadel/internal/api/http"
+)
+
+type BrowserInfo struct {
+	UserAgent      string
+	AcceptLanguage string
+	RemoteIP       net.IP
+}
+
+func BrowserInfoFromRequest(r *net_http.Request) *BrowserInfo {
+	return &BrowserInfo{
+		UserAgent:      r.Header.Get(http_util.UserAgentHeader),
+		AcceptLanguage: r.Header.Get(http_util.AcceptLanguage),
+		RemoteIP:       http_util.RemoteIPFromRequest(r),
+	}
+}

internal/domain/factors.go

@@ -0,0 +1,30 @@
+package domain
+
+type SecondFactorType int32
+
+const (
+	SecondFactorTypeUnspecified SecondFactorType = iota
+	SecondFactorTypeOTP
+	SecondFactorTypeU2F
+)
+
+type MultiFactorType int32
+
+const (
+	MultiFactorTypeUnspecified MultiFactorType = iota
+	MultiFactorTypeU2FWithPIN
+)
+
+type FactorState int32
+
+const (
+	FactorStateUnspecified FactorState = iota
+	FactorStateActive
+	FactorStateRemoved
+
+	factorStateCount
+)
+
+func (f FactorState) Valid() bool {
+	return f >= 0 && f < factorStateCount
+}

internal/domain/human.go

@@ -0,0 +1,110 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	caos_errors "github.com/caos/zitadel/internal/errors"
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+	"strings"
+	"time"
+)
+
+type Human struct {
+	es_models.ObjectRoot
+
+	Username string
+	State    UserState
+	*Password
+	*Profile
+	*Email
+	*Phone
+	*Address
+	ExternalIDPs       []*ExternalIDP
+	OTP                *OTP
+	U2FTokens          []*WebAuthNToken
+	PasswordlessTokens []*WebAuthNToken
+	U2FLogins          []*WebAuthNLogin
+	PasswordlessLogins []*WebAuthNLogin
+}
+
+func (h Human) GetUsername() string {
+	return h.Username
+}
+
+func (h Human) GetState() UserState {
+	return h.State
+}
+
+type InitUserCode struct {
+	es_models.ObjectRoot
+
+	Code   *crypto.CryptoValue
+	Expiry time.Duration
+}
+
+type Gender int32
+
+const (
+	GenderUnspecified Gender = iota
+	GenderFemale
+	GenderMale
+	GenderDiverse
+
+	genderCount
+)
+
+func (f Gender) Valid() bool {
+	return f >= 0 && f < genderCount
+}
+
+func (u *Human) IsValid() bool {
+	return u.Profile != nil && u.FirstName != "" && u.LastName != "" && u.Email != nil && u.Email.IsValid() && u.Phone == nil || (u.Phone != nil && u.Phone.PhoneNumber != "" && u.Phone.IsValid())
+}
+
+func (u *Human) CheckOrgIAMPolicy(policy *OrgIAMPolicy) error {
+	if policy == nil {
+		return caos_errors.ThrowPreconditionFailed(nil, "DOMAIN-zSH7j", "Errors.Users.OrgIamPolicyNil")
+	}
+	if policy.UserLoginMustBeDomain && strings.Contains(u.Username, "@") {
+		return caos_errors.ThrowPreconditionFailed(nil, "DOMAIN-se4sJ", "Errors.User.EmailAsUsernameNotAllowed")
+	}
+	if !policy.UserLoginMustBeDomain && u.Profile != nil && u.Username == "" && u.Email != nil {
+		u.Username = u.EmailAddress
+	}
+	return nil
+}
+
+func (u *Human) SetNamesAsDisplayname() {
+	if u.Profile != nil && u.DisplayName == "" && u.FirstName != "" && u.LastName != "" {
+		u.DisplayName = u.FirstName + " " + u.LastName
+	}
+}
+
+func (u *Human) HashPasswordIfExisting(policy *PasswordComplexityPolicy, passwordAlg crypto.HashAlgorithm, onetime bool) error {
+	if u.Password != nil {
+		u.Password.ChangeRequired = onetime
+		return u.Password.HashPasswordIfExisting(policy, passwordAlg)
+	}
+	return nil
+}
+
+func (u *Human) IsInitialState() bool {
+	return u.Email == nil || !u.IsEmailVerified || (u.ExternalIDPs == nil || len(u.ExternalIDPs) == 0) && (u.Password == nil || u.SecretString == "")
+}
+
+func NewInitUserCode(generator crypto.Generator) (*InitUserCode, error) {
+	initCodeCrypto, _, err := crypto.NewCode(generator)
+	if err != nil {
+		return nil, err
+	}
+	return &InitUserCode{
+		Code:   initCodeCrypto,
+		Expiry: generator.Expiry(),
+	}, nil
+}
+
+func GenerateLoginName(username, domain string, appendDomain bool) string {
+	if !appendDomain {
+		return username
+	}
+	return username + "@" + domain
+}

internal/domain/human_address.go

@@ -0,0 +1,27 @@
+package domain
+
+import es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+
+type Address struct {
+	es_models.ObjectRoot
+
+	Country       string
+	Locality      string
+	PostalCode    string
+	Region        string
+	StreetAddress string
+}
+
+type AddressState int32
+
+const (
+	AddressStateUnspecified AddressState = iota
+	AddressStateActive
+	AddressStateRemoved
+
+	addressStateCount
+)
+
+func (s AddressState) Valid() bool {
+	return s >= 0 && s < addressStateCount
+}

internal/domain/human_email.go

@@ -0,0 +1,36 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+	"time"
+)
+
+type Email struct {
+	es_models.ObjectRoot
+
+	EmailAddress    string
+	IsEmailVerified bool
+}
+
+type EmailCode struct {
+	es_models.ObjectRoot
+
+	Code   *crypto.CryptoValue
+	Expiry time.Duration
+}
+
+func (e *Email) IsValid() bool {
+	return e.EmailAddress != ""
+}
+
+func NewEmailCode(emailGenerator crypto.Generator) (*EmailCode, error) {
+	emailCodeCrypto, _, err := crypto.NewCode(emailGenerator)
+	if err != nil {
+		return nil, err
+	}
+	return &EmailCode{
+		Code:   emailCodeCrypto,
+		Expiry: emailGenerator.Expiry(),
+	}, nil
+}

internal/domain/human_external_idp.go

@@ -0,0 +1,29 @@
+package domain
+
+import es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+
+type ExternalIDP struct {
+	es_models.ObjectRoot
+
+	IDPConfigID    string
+	ExternalUserID string
+	DisplayName    string
+}
+
+func (idp *ExternalIDP) IsValid() bool {
+	return idp.AggregateID != "" && idp.IDPConfigID != "" && idp.ExternalUserID != ""
+}
+
+type ExternalIDPState int32
+
+const (
+	ExternalIDPStateUnspecified ExternalIDPState = iota
+	ExternalIDPStateActive
+	ExternalIDPStateRemoved
+
+	externalIDPStateCount
+)
+
+func (s ExternalIDPState) Valid() bool {
+	return s >= 0 && s < externalIDPStateCount
+}

internal/domain/human_otp.go

@@ -0,0 +1,43 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+	"github.com/pquerna/otp"
+	"github.com/pquerna/otp/totp"
+)
+
+type OTP struct {
+	es_models.ObjectRoot
+
+	Secret       *crypto.CryptoValue
+	SecretString string
+	Url          string
+	State        MFAState
+}
+
+func NewOTPKey(issuer, accountName string, cryptoAlg crypto.EncryptionAlgorithm) (*otp.Key, *crypto.CryptoValue, error) {
+	key, err := totp.Generate(totp.GenerateOpts{Issuer: issuer, AccountName: accountName})
+	if err != nil {
+		return nil, nil, err
+	}
+	encryptedSecret, err := crypto.Encrypt([]byte(key.Secret()), cryptoAlg)
+	if err != nil {
+		return nil, nil, err
+	}
+	return key, encryptedSecret, nil
+}
+
+func VerifyMFAOTP(code string, secret *crypto.CryptoValue, cryptoAlg crypto.EncryptionAlgorithm) error {
+	decrypt, err := crypto.DecryptString(secret, cryptoAlg)
+	if err != nil {
+		return err
+	}
+
+	valid := totp.Validate(code, decrypt)
+	if !valid {
+		return caos_errs.ThrowInvalidArgument(nil, "EVENT-8isk2", "Errors.User.MFA.OTP.InvalidCode")
+	}
+	return nil
+}

internal/domain/human_password.go

@@ -0,0 +1,59 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+	"time"
+)
+
+type Password struct {
+	es_models.ObjectRoot
+
+	SecretString   string
+	SecretCrypto   *crypto.CryptoValue
+	ChangeRequired bool
+}
+
+func NewPassword(password string) *Password {
+	return &Password{
+		SecretString: password,
+	}
+}
+
+type PasswordCode struct {
+	es_models.ObjectRoot
+
+	Code             *crypto.CryptoValue
+	Expiry           time.Duration
+	NotificationType NotificationType
+}
+
+func (p *Password) HashPasswordIfExisting(policy *PasswordComplexityPolicy, passwordAlg crypto.HashAlgorithm) error {
+	if p.SecretString == "" {
+		return nil
+	}
+	if policy == nil {
+		return caos_errs.ThrowPreconditionFailed(nil, "DOMAIN-s8ifS", "Errors.User.PasswordComplexityPolicy.NotFound")
+	}
+	if err := policy.Check(p.SecretString); err != nil {
+		return err
+	}
+	secret, err := crypto.Hash([]byte(p.SecretString), passwordAlg)
+	if err != nil {
+		return err
+	}
+	p.SecretCrypto = secret
+	return nil
+}
+
+func NewPasswordCode(passwordGenerator crypto.Generator) (*PasswordCode, error) {
+	passwordCodeCrypto, _, err := crypto.NewCode(passwordGenerator)
+	if err != nil {
+		return nil, err
+	}
+	return &PasswordCode{
+		Code:   passwordCodeCrypto,
+		Expiry: passwordGenerator.Expiry(),
+	}, nil
+}

internal/domain/human_phone.go

@@ -0,0 +1,66 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+	"github.com/ttacon/libphonenumber"
+	"time"
+)
+
+const (
+	defaultRegion = "CH"
+)
+
+type Phone struct {
+	es_models.ObjectRoot
+
+	PhoneNumber     string
+	IsPhoneVerified bool
+}
+
+type PhoneCode struct {
+	es_models.ObjectRoot
+
+	Code   *crypto.CryptoValue
+	Expiry time.Duration
+}
+
+func (p *Phone) IsValid() bool {
+	err := p.formatPhone()
+	return p.PhoneNumber != "" && err == nil
+}
+
+func (p *Phone) formatPhone() error {
+	phoneNr, err := libphonenumber.Parse(p.PhoneNumber, defaultRegion)
+	if err != nil {
+		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-so0wa", "Errors.User.Phone.Invalid")
+	}
+	p.PhoneNumber = libphonenumber.Format(phoneNr, libphonenumber.E164)
+	return nil
+}
+
+func NewPhoneCode(phoneGenerator crypto.Generator) (*PhoneCode, error) {
+	phoneCodeCrypto, _, err := crypto.NewCode(phoneGenerator)
+	if err != nil {
+		return nil, err
+	}
+	return &PhoneCode{
+		Code:   phoneCodeCrypto,
+		Expiry: phoneGenerator.Expiry(),
+	}, nil
+}
+
+type PhoneState int32
+
+const (
+	PhoneStateUnspecified PhoneState = iota
+	PhoneStateActive
+	PhoneStateRemoved
+
+	phoneStateCount
+)
+
+func (s PhoneState) Valid() bool {
+	return s >= 0 && s < phoneStateCount
+}

internal/domain/human_profile.go

@@ -0,0 +1,23 @@
+package domain
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+	"golang.org/x/text/language"
+)
+
+type Profile struct {
+	es_models.ObjectRoot
+
+	FirstName          string
+	LastName           string
+	NickName           string
+	DisplayName        string
+	PreferredLanguage  language.Tag
+	Gender             Gender
+	PreferredLoginName string
+	LoginNames         []string
+}
+
+func (p *Profile) IsValid() bool {
+	return p.FirstName != "" && p.LastName != ""
+}

internal/domain/human_web_auth_n.go

@@ -0,0 +1,69 @@
+package domain
+
+import (
+	"bytes"
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+type WebAuthNToken struct {
+	es_models.ObjectRoot
+
+	WebAuthNTokenID        string
+	CredentialCreationData []byte
+	State                  MFAState
+	Challenge              string
+	AllowedCredentialIDs   [][]byte
+	UserVerification       UserVerificationRequirement
+	KeyID                  []byte
+	PublicKey              []byte
+	AttestationType        string
+	AAGUID                 []byte
+	SignCount              uint32
+	WebAuthNTokenName      string
+}
+
+type WebAuthNLogin struct {
+	es_models.ObjectRoot
+
+	CredentialAssertionData []byte
+	Challenge               string
+	AllowedCredentialIDs    [][]byte
+	UserVerification        UserVerificationRequirement
+	//TODO: Add Auth Request
+	//*model.AuthRequest
+}
+
+type UserVerificationRequirement int32
+
+const (
+	UserVerificationRequirementUnspecified UserVerificationRequirement = iota
+	UserVerificationRequirementRequired
+	UserVerificationRequirementPreferred
+	UserVerificationRequirementDiscouraged
+)
+
+type AuthenticatorAttachment int32
+
+const (
+	AuthenticatorAttachmentUnspecified AuthenticatorAttachment = iota
+	AuthenticatorAttachmentPlattform
+	AuthenticatorAttachmentCrossPlattform
+)
+
+func GetTokenToVerify(tokens []*WebAuthNToken) (int, *WebAuthNToken) {
+	for i, u2f := range tokens {
+		if u2f.State == MFAStateNotReady {
+			return i, u2f
+		}
+	}
+	return -1, nil
+}
+
+func GetTokenByKeyID(tokens []*WebAuthNToken, keyID []byte) (int, *WebAuthNToken) {
+	for i, token := range tokens {
+		if bytes.Compare(token.KeyID, keyID) == 0 {
+			return i, token
+		}
+	}
+	return -1, nil
+}

internal/domain/iam.go

@@ -0,0 +1,26 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+const (
+	IAMID = "IAM"
+)
+
+type IAM struct {
+	models.ObjectRoot
+
+	GlobalOrgID                     string
+	IAMProjectID                    string
+	SetUpDone                       Step
+	SetUpStarted                    Step
+	Members                         []*Member
+	IDPs                            []*IDPConfig
+	DefaultLoginPolicy              *LoginPolicy
+	DefaultLabelPolicy              *LabelPolicy
+	DefaultOrgIAMPolicy             *OrgIAMPolicy
+	DefaultPasswordComplexityPolicy *PasswordComplexityPolicy
+	DefaultPasswordAgePolicy        *PasswordAgePolicy
+	DefaultPasswordLockoutPolicy    *PasswordLockoutPolicy
+}

internal/domain/idp_config.go

@@ -0,0 +1,100 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+	"time"
+)
+
+type IDPConfig struct {
+	es_models.ObjectRoot
+	IDPConfigID string
+	Type        IDPConfigType
+	Name        string
+	StylingType IDPConfigStylingType
+	State       IDPConfigState
+	OIDCConfig  *OIDCIDPConfig
+}
+
+type IDPConfigView struct {
+	AggregateID     string
+	IDPConfigID     string
+	Name            string
+	StylingType     IDPConfigStylingType
+	State           IDPConfigState
+	CreationDate    time.Time
+	ChangeDate      time.Time
+	Sequence        uint64
+	IDPProviderType IdentityProviderType
+
+	IsOIDC                    bool
+	OIDCClientID              string
+	OIDCClientSecret          *crypto.CryptoValue
+	OIDCIssuer                string
+	OIDCScopes                []string
+	OIDCIDPDisplayNameMapping OIDCMappingField
+	OIDCUsernameMapping       OIDCMappingField
+}
+
+type OIDCIDPConfig struct {
+	es_models.ObjectRoot
+	IDPConfigID           string
+	ClientID              string
+	ClientSecret          *crypto.CryptoValue
+	ClientSecretString    string
+	Issuer                string
+	Scopes                []string
+	IDPDisplayNameMapping OIDCMappingField
+	UsernameMapping       OIDCMappingField
+}
+
+type IDPConfigType int32
+
+const (
+	IDPConfigTypeOIDC IDPConfigType = iota
+	IDPConfigTypeSAML
+
+	//count is for validation
+	idpConfigTypeCount
+)
+
+func (f IDPConfigType) Valid() bool {
+	return f >= 0 && f < idpConfigTypeCount
+}
+
+type IDPConfigState int32
+
+const (
+	IDPConfigStateUnspecified IDPConfigState = iota
+	IDPConfigStateActive
+	IDPConfigStateInactive
+	IDPConfigStateRemoved
+
+	idpConfigStateCount
+)
+
+func (f IDPConfigState) Valid() bool {
+	return f >= 0 && f < idpConfigStateCount
+}
+
+type IDPConfigStylingType int32
+
+const (
+	IDPConfigStylingTypeUnspecified IDPConfigStylingType = iota
+	IDPConfigStylingTypeGoogle
+
+	idpConfigStylingTypeCount
+)
+
+func (f IDPConfigStylingType) Valid() bool {
+	return f >= 0 && f < idpConfigStylingTypeCount
+}
+
+func (st IDPConfigStylingType) GetCSSClass() string {
+	switch st {
+	case IDPConfigStylingTypeGoogle:
+		return "google"
+	default:
+		return ""
+	}
+}

internal/domain/key_pair.go

@@ -0,0 +1,45 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+	"time"
+)
+
+type KeyPair struct {
+	es_models.ObjectRoot
+
+	Usage      KeyUsage
+	Algorithm  string
+	PrivateKey *Key
+	PublicKey  *Key
+}
+
+type KeyUsage int32
+
+const (
+	KeyUsageSigning KeyUsage = iota
+)
+
+func (u KeyUsage) String() string {
+	switch u {
+	case KeyUsageSigning:
+		return "sig"
+	}
+	return ""
+}
+
+type Key struct {
+	Key    *crypto.CryptoValue
+	Expiry time.Time
+}
+
+func (k *KeyPair) IsValid() bool {
+	return k.Algorithm != "" &&
+		k.PrivateKey != nil && k.PrivateKey.IsValid() &&
+		k.PublicKey != nil && k.PublicKey.IsValid()
+}
+
+func (k *Key) IsValid() bool {
+	return k.Key != nil
+}

internal/domain/machine.go

@@ -0,0 +1,24 @@
+package domain
+
+import "github.com/caos/zitadel/internal/eventstore/v1/models"
+
+type Machine struct {
+	models.ObjectRoot
+
+	Username    string
+	State       UserState
+	Name        string
+	Description string
+}
+
+func (m Machine) GetUsername() string {
+	return m.Username
+}
+
+func (m Machine) GetState() UserState {
+	return m.State
+}
+
+func (sa *Machine) IsValid() bool {
+	return sa.Name != ""
+}

internal/domain/machine_key.go

@@ -0,0 +1,47 @@
+package domain
+
+import (
+	"time"
+
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+type MachineKey struct {
+	models.ObjectRoot
+
+	KeyID          string
+	Type           AuthNKeyType
+	ExpirationDate time.Time
+	PrivateKey     []byte
+	PublicKey      []byte
+}
+
+func (key *MachineKey) setPublicKey(publicKey []byte) {
+	key.PublicKey = publicKey
+}
+
+func (key *MachineKey) setPrivateKey(privateKey []byte) {
+	key.PrivateKey = privateKey
+}
+
+func (key *MachineKey) expirationDate() time.Time {
+	return key.ExpirationDate
+}
+
+func (key *MachineKey) setExpirationDate(expiration time.Time) {
+	key.ExpirationDate = expiration
+}
+
+type MachineKeyState int32
+
+const (
+	MachineKeyStateUnspecified MachineKeyState = iota
+	MachineKeyStateActive
+	MachineKeyStateRemoved
+
+	machineKeyStateCount
+)
+
+func (f MachineKeyState) Valid() bool {
+	return f >= 0 && f < machineKeyStateCount
+}

internal/domain/member.go

@@ -0,0 +1,40 @@
+package domain
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+type Member struct {
+	es_models.ObjectRoot
+
+	UserID string
+	Roles  []string
+}
+
+func NewMember(aggregateID, userID string, roles ...string) *Member {
+	return &Member{
+		ObjectRoot: es_models.ObjectRoot{
+			AggregateID: aggregateID,
+		},
+		UserID: userID,
+		Roles:  roles,
+	}
+}
+
+func (i *Member) IsValid() bool {
+	return i.AggregateID != "" && i.UserID != "" && len(i.Roles) != 0
+}
+
+type MemberState int32
+
+const (
+	MemberStateUnspecified MemberState = iota
+	MemberStateActive
+	MemberStateRemoved
+
+	memberStateCount
+)
+
+func (f MemberState) Valid() bool {
+	return f >= 0 && f < memberStateCount
+}

internal/domain/mfa.go

@@ -0,0 +1,16 @@
+package domain
+
+type MFAState int32
+
+const (
+	MFAStateUnspecified MFAState = iota
+	MFAStateNotReady
+	MFAStateReady
+	MFAStateRemoved
+
+	stateCount
+)
+
+func (f MFAState) Valid() bool {
+	return f >= 0 && f < stateCount
+}

internal/domain/next_step.go

@@ -0,0 +1,149 @@
+package domain
+
+type NextStep interface {
+	Type() NextStepType
+}
+
+type NextStepType int32
+
+const (
+	NextStepUnspecified NextStepType = iota
+	NextStepLogin
+	NextStepUserSelection
+	NextStepInitUser
+	NextStepPassword
+	NextStepChangePassword
+	NextStepInitPassword
+	NextStepVerifyEmail
+	NextStepMFAPrompt
+	NextStepMFAVerify
+	NextStepRedirectToCallback
+	NextStepChangeUsername
+	NextStepLinkUsers
+	NextStepExternalNotFoundOption
+	NextStepExternalLogin
+	NextStepGrantRequired
+	NextStepPasswordless
+)
+
+type LoginStep struct{}
+
+func (s *LoginStep) Type() NextStepType {
+	return NextStepLogin
+}
+
+type SelectUserStep struct {
+	Users []UserSelection
+}
+
+func (s *SelectUserStep) Type() NextStepType {
+	return NextStepUserSelection
+}
+
+type UserSelection struct {
+	UserID            string
+	DisplayName       string
+	LoginName         string
+	UserSessionState  UserSessionState
+	SelectionPossible bool
+}
+
+type UserSessionState int32
+
+const (
+	UserSessionStateActive UserSessionState = iota
+	UserSessionStateTerminated
+)
+
+type InitUserStep struct {
+	PasswordSet bool
+}
+
+func (s *InitUserStep) Type() NextStepType {
+	return NextStepInitUser
+}
+
+type ExternalNotFoundOptionStep struct{}
+
+func (s *ExternalNotFoundOptionStep) Type() NextStepType {
+	return NextStepExternalNotFoundOption
+}
+
+type PasswordStep struct{}
+
+func (s *PasswordStep) Type() NextStepType {
+	return NextStepPassword
+}
+
+type ExternalLoginStep struct {
+	SelectedIDPConfigID string
+}
+
+func (s *ExternalLoginStep) Type() NextStepType {
+	return NextStepExternalLogin
+}
+
+type PasswordlessStep struct{}
+
+func (s *PasswordlessStep) Type() NextStepType {
+	return NextStepPasswordless
+}
+
+type ChangePasswordStep struct{}
+
+func (s *ChangePasswordStep) Type() NextStepType {
+	return NextStepChangePassword
+}
+
+type InitPasswordStep struct{}
+
+func (s *InitPasswordStep) Type() NextStepType {
+	return NextStepInitPassword
+}
+
+type ChangeUsernameStep struct{}
+
+func (s *ChangeUsernameStep) Type() NextStepType {
+	return NextStepChangeUsername
+}
+
+type VerifyEMailStep struct{}
+
+func (s *VerifyEMailStep) Type() NextStepType {
+	return NextStepVerifyEmail
+}
+
+type MFAPromptStep struct {
+	Required     bool
+	MFAProviders []MFAType
+}
+
+func (s *MFAPromptStep) Type() NextStepType {
+	return NextStepMFAPrompt
+}
+
+type MFAVerificationStep struct {
+	MFAProviders []MFAType
+}
+
+func (s *MFAVerificationStep) Type() NextStepType {
+	return NextStepMFAVerify
+}
+
+type LinkUsersStep struct{}
+
+func (s *LinkUsersStep) Type() NextStepType {
+	return NextStepLinkUsers
+}
+
+type GrantRequiredStep struct{}
+
+func (s *GrantRequiredStep) Type() NextStepType {
+	return NextStepGrantRequired
+}
+
+type RedirectToCallbackStep struct{}
+
+func (s *RedirectToCallbackStep) Type() NextStepType {
+	return NextStepRedirectToCallback
+}

internal/domain/notification.go

@@ -0,0 +1,14 @@
+package domain
+
+type NotificationType int32
+
+const (
+	NotificationTypeEmail NotificationType = iota
+	NotificationTypeSms
+
+	notificationCount
+)
+
+func (f NotificationType) Valid() bool {
+	return f >= 0 && f < notificationCount
+}

internal/domain/oidc_code_challenge.go

@@ -0,0 +1,17 @@
+package domain
+
+type OIDCCodeChallenge struct {
+	Challenge string
+	Method    OIDCCodeChallengeMethod
+}
+
+func (c *OIDCCodeChallenge) IsValid() bool {
+	return c.Challenge != ""
+}
+
+type OIDCCodeChallengeMethod int32
+
+const (
+	CodeChallengeMethodPlain OIDCCodeChallengeMethod = iota
+	CodeChallengeMethodS256
+)

internal/domain/oidc_mapping_field.go

@@ -0,0 +1,15 @@
+package domain
+
+type OIDCMappingField int32
+
+const (
+	OIDCMappingFieldUnspecified OIDCMappingField = iota
+	OIDCMappingFieldPreferredLoginName
+	OIDCMappingFieldEmail
+	// count is for validation purposes
+	oidcMappingFieldCount
+)
+
+func (f OIDCMappingField) Valid() bool {
+	return f > 0 && f < oidcMappingFieldCount
+}

internal/domain/org.go

@@ -0,0 +1,46 @@
+package domain
+
+import (
+	"strings"
+
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+type Org struct {
+	models.ObjectRoot
+
+	State OrgState
+	Name  string
+
+	PrimaryDomain            string
+	Domains                  []*OrgDomain
+	Members                  []*Member
+	OrgIamPolicy             *OrgIAMPolicy
+	LoginPolicy              *LoginPolicy
+	LabelPolicy              *LabelPolicy
+	PasswordComplexityPolicy *PasswordComplexityPolicy
+	PasswordAgePolicy        *PasswordAgePolicy
+	PasswordLockoutPolicy    *PasswordLockoutPolicy
+	IDPs                     []*IDPConfig
+}
+
+func (o *Org) IsValid() bool {
+	return o.Name != ""
+}
+
+func (o *Org) AddIAMDomain(iamDomain string) {
+	o.Domains = append(o.Domains, &OrgDomain{Domain: o.nameForDomain(iamDomain), Verified: true, Primary: true})
+}
+
+func (o *Org) nameForDomain(iamDomain string) string {
+	return strings.ToLower(strings.ReplaceAll(o.Name, " ", "-") + "." + iamDomain)
+}
+
+type OrgState int32
+
+const (
+	OrgStateUnspecified OrgState = iota
+	OrgStateActive
+	OrgStateInactive
+	OrgStateRemoved
+)

internal/domain/org_domain.go

@@ -0,0 +1,63 @@
+package domain
+
+import (
+	http_util "github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+type OrgDomain struct {
+	models.ObjectRoot
+
+	Domain         string
+	Primary        bool
+	Verified       bool
+	ValidationType OrgDomainValidationType
+	ValidationCode *crypto.CryptoValue
+}
+
+func (domain *OrgDomain) IsValid() bool {
+	return domain.AggregateID != "" && domain.Domain != ""
+}
+
+func (domain *OrgDomain) GenerateVerificationCode(codeGenerator crypto.Generator) (string, error) {
+	validationCodeCrypto, validationCode, err := crypto.NewCode(codeGenerator)
+	if err != nil {
+		return "", err
+	}
+	domain.ValidationCode = validationCodeCrypto
+	return validationCode, nil
+}
+
+type OrgDomainValidationType int32
+
+const (
+	OrgDomainValidationTypeUnspecified OrgDomainValidationType = iota
+	OrgDomainValidationTypeHTTP
+	OrgDomainValidationTypeDNS
+)
+
+func (t OrgDomainValidationType) CheckType() (http_util.CheckType, bool) {
+	switch t {
+	case OrgDomainValidationTypeHTTP:
+		return http_util.CheckTypeHTTP, true
+	case OrgDomainValidationTypeDNS:
+		return http_util.CheckTypeDNS, true
+	default:
+		return -1, false
+	}
+}
+
+type OrgDomainState int32
+
+const (
+	OrgDomainStateUnspecified OrgDomainState = iota
+	OrgDomainStateActive
+	OrgDomainStateRemoved
+
+	orgDomainStateCount
+)
+
+func (f OrgDomainState) Valid() bool {
+	return f >= 0 && f < orgDomainStateCount
+}

internal/domain/policy.go

@@ -0,0 +1,15 @@
+package domain
+
+type PolicyState int32
+
+const (
+	PolicyStateUnspecified PolicyState = iota
+	PolicyStateActive
+	PolicyStateRemoved
+
+	policyStateCount
+)
+
+func (f PolicyState) Valid() bool {
+	return f >= 0 && f < policyStateCount
+}

internal/domain/policy_label.go

@@ -0,0 +1,13 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+type LabelPolicy struct {
+	models.ObjectRoot
+
+	Default        bool
+	PrimaryColor   string
+	SecondaryColor string
+}

internal/domain/policy_login.go

@@ -0,0 +1,49 @@
+package domain
+
+import "github.com/caos/zitadel/internal/eventstore/v1/models"
+
+type LoginPolicy struct {
+	models.ObjectRoot
+
+	Default               bool
+	AllowUsernamePassword bool
+	AllowRegister         bool
+	AllowExternalIDP      bool
+	IDPProviders          []*IDPProvider
+	ForceMFA              bool
+	SecondFactors         []SecondFactorType
+	MultiFactors          []MultiFactorType
+	PasswordlessType      PasswordlessType
+}
+
+type IDPProvider struct {
+	models.ObjectRoot
+	Type        IdentityProviderType
+	IDPConfigID string
+
+	Name          string
+	StylingType   IDPConfigStylingType
+	IDPConfigType IDPConfigType
+	IDPState      IDPConfigState
+}
+
+type PasswordlessType int32
+
+const (
+	PasswordlessTypeNotAllowed PasswordlessType = iota
+	PasswordlessTypeAllowed
+
+	passwordlessCount
+)
+
+func (f PasswordlessType) Valid() bool {
+	return f >= 0 && f < passwordlessCount
+}
+
+func (p *LoginPolicy) HasSecondFactors() bool {
+	return len(p.SecondFactors) > 0
+}
+
+func (p *LoginPolicy) HasMultiFactors() bool {
+	return len(p.MultiFactors) > 0
+}

internal/domain/policy_mail_template.go

@@ -0,0 +1,15 @@
+package domain
+
+import "github.com/caos/zitadel/internal/eventstore/v1/models"
+
+type MailTemplate struct {
+	models.ObjectRoot
+
+	State    PolicyState
+	Default  bool
+	Template []byte
+}
+
+func (m *MailTemplate) IsValid() bool {
+	return m.Template != nil
+}

internal/domain/policy_mail_text.go

@@ -0,0 +1,22 @@
+package domain
+
+import "github.com/caos/zitadel/internal/eventstore/v1/models"
+
+type MailText struct {
+	models.ObjectRoot
+
+	State        PolicyState
+	Default      bool
+	MailTextType string
+	Language     string
+	Title        string
+	PreHeader    string
+	Subject      string
+	Greeting     string
+	Text         string
+	ButtonText   string
+}
+
+func (m *MailText) IsValid() bool {
+	return m.MailTextType != "" && m.Language != "" && m.Title != "" && m.PreHeader != "" && m.Subject != "" && m.Greeting != "" && m.Text != "" && m.ButtonText != ""
+}

internal/domain/policy_org_iam.go

@@ -0,0 +1,12 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+type OrgIAMPolicy struct {
+	models.ObjectRoot
+
+	UserLoginMustBeDomain bool
+	Default               bool
+}

internal/domain/policy_password_age.go

@@ -0,0 +1,12 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+type PasswordAgePolicy struct {
+	models.ObjectRoot
+
+	MaxAgeDays     uint64
+	ExpireWarnDays uint64
+}

internal/domain/policy_password_complexity.go

@@ -0,0 +1,56 @@
+package domain
+
+import (
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+	"regexp"
+)
+
+var (
+	hasStringLowerCase = regexp.MustCompile(`[a-z]`).MatchString
+	hasStringUpperCase = regexp.MustCompile(`[A-Z]`).MatchString
+	hasNumber          = regexp.MustCompile(`[0-9]`).MatchString
+	hasSymbol          = regexp.MustCompile(`[^A-Za-z0-9]`).MatchString
+)
+
+type PasswordComplexityPolicy struct {
+	models.ObjectRoot
+
+	MinLength    uint64
+	HasLowercase bool
+	HasUppercase bool
+	HasNumber    bool
+	HasSymbol    bool
+
+	Default bool
+}
+
+func (p *PasswordComplexityPolicy) IsValid() error {
+	if p.MinLength == 0 || p.MinLength > 72 {
+		return caos_errs.ThrowInvalidArgument(nil, "MODEL-Lsp0e", "Errors.User.PasswordComplexityPolicy.MinLengthNotAllowed")
+	}
+	return nil
+}
+
+func (p *PasswordComplexityPolicy) Check(password string) error {
+	if p.MinLength != 0 && uint64(len(password)) < p.MinLength {
+		return caos_errs.ThrowInvalidArgument(nil, "DOMAIN-HuJf6", "Errors.User.PasswordComplexityPolicy.MinLength")
+	}
+
+	if p.HasLowercase && !hasStringLowerCase(password) {
+		return caos_errs.ThrowInvalidArgument(nil, "DOMAIN-co3Xw", "Errors.User.PasswordComplexityPolicy.HasLower")
+	}
+
+	if p.HasUppercase && !hasStringUpperCase(password) {
+		return caos_errs.ThrowInvalidArgument(nil, "DOMAIN-VoaRj", "Errors.User.PasswordComplexityPolicy.HasUpper")
+	}
+
+	if p.HasNumber && !hasNumber(password) {
+		return caos_errs.ThrowInvalidArgument(nil, "DOMAIN-ZBv4H", "Errors.User.PasswordComplexityPolicy.HasNumber")
+	}
+
+	if p.HasSymbol && !hasSymbol(password) {
+		return caos_errs.ThrowInvalidArgument(nil, "DOMAIN-ZDLwA", "Errors.User.PasswordComplexityPolicy.HasSymbol")
+	}
+	return nil
+}

internal/domain/policy_password_lockout.go

@@ -0,0 +1,12 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+type PasswordLockoutPolicy struct {
+	models.ObjectRoot
+
+	MaxAttempts         uint64
+	ShowLockOutFailures bool
+}

internal/domain/project.go

@@ -0,0 +1,31 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+type Project struct {
+	models.ObjectRoot
+
+	State   ProjectState
+	Name    string
+	Members []*Member
+	Roles   []*ProjectRole
+	//Applications         []*Application
+	//Grants               []*ProjectGrant
+	ProjectRoleAssertion bool
+	ProjectRoleCheck     bool
+}
+
+type ProjectState int32
+
+const (
+	ProjectStateUnspecified ProjectState = iota
+	ProjectStateActive
+	ProjectStateInactive
+	ProjectStateRemoved
+)
+
+func (o *Project) IsValid() bool {
+	return o.Name != ""
+}

internal/domain/project_grant.go

@@ -0,0 +1,49 @@
+package domain
+
+import es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+
+type ProjectGrant struct {
+	es_models.ObjectRoot
+
+	GrantID      string
+	GrantedOrgID string
+	State        ProjectGrantState
+	RoleKeys     []string
+}
+
+type ProjectGrantIDs struct {
+	ProjectID string
+	GrantID   string
+}
+
+type ProjectGrantState int32
+
+const (
+	ProjectGrantStateUnspecified ProjectGrantState = iota
+	ProjectGrantStateActive
+	ProjectGrantStateInactive
+	ProjectGrantStateRemoved
+)
+
+func (p *ProjectGrant) IsValid() bool {
+	return p.GrantedOrgID != ""
+}
+
+func GetRemovedRoles(existingRoles, newRoles []string) []string {
+	removed := make([]string, 0)
+	for _, role := range existingRoles {
+		if !containsKey(newRoles, role) {
+			removed = append(removed, role)
+		}
+	}
+	return removed
+}
+
+func containsKey(roles []string, key string) bool {
+	for _, role := range roles {
+		if role == key {
+			return true
+		}
+	}
+	return false
+}

internal/domain/project_grant_member.go

@@ -0,0 +1,28 @@
+package domain
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+type ProjectGrantMember struct {
+	es_models.ObjectRoot
+
+	GrantID string
+	UserID  string
+	Roles   []string
+}
+
+func NewProjectGrantMember(aggregateID, userID, grantID string, roles ...string) *ProjectGrantMember {
+	return &ProjectGrantMember{
+		ObjectRoot: es_models.ObjectRoot{
+			AggregateID: aggregateID,
+		},
+		GrantID: grantID,
+		UserID:  userID,
+		Roles:   roles,
+	}
+}
+
+func (i *ProjectGrantMember) IsValid() bool {
+	return i.AggregateID != "" && i.GrantID != "" && i.UserID != "" && len(i.Roles) != 0
+}

internal/domain/project_role.go

@@ -0,0 +1,29 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+)
+
+type ProjectRole struct {
+	models.ObjectRoot
+
+	Key         string
+	DisplayName string
+	Group       string
+}
+
+type ProjectRoleState int32
+
+const (
+	ProjectRoleStateUnspecified ProjectRoleState = iota
+	ProjectRoleStateActive
+	ProjectRoleStateRemoved
+)
+
+func NewProjectRole(projectID, key string) *ProjectRole {
+	return &ProjectRole{ObjectRoot: models.ObjectRoot{AggregateID: projectID}, Key: key}
+}
+
+func (p *ProjectRole) IsValid() bool {
+	return p.AggregateID != "" && p.Key != ""
+}

internal/domain/provider.go

@@ -0,0 +1,28 @@
+package domain
+
+type IdentityProviderType int8
+
+const (
+	IdentityProviderTypeSystem IdentityProviderType = iota
+	IdentityProviderTypeOrg
+
+	identityProviderCount
+)
+
+func (f IdentityProviderType) Valid() bool {
+	return f >= 0 && f < identityProviderCount
+}
+
+type IdentityProviderState int32
+
+const (
+	IdentityProviderStateUnspecified IdentityProviderState = iota
+	IdentityProviderStateActive
+	IdentityProviderStateRemoved
+
+	idpProviderState
+)
+
+func (s IdentityProviderState) Valid() bool {
+	return s >= 0 && s < idpProviderState
+}

internal/domain/request.go

@@ -0,0 +1,54 @@
+package domain
+
+const (
+	OrgDomainPrimaryScope = "urn:zitadel:iam:org:domain:primary:"
+	OrgDomainPrimaryClaim = "urn:zitadel:iam:org:domain:primary"
+	ProjectIDScope        = "urn:zitadel:iam:org:project:id:"
+	AudSuffix             = ":aud"
+)
+
+//TODO: Change AuthRequest to interface and let oidcauthreqesut implement it
+type Request interface {
+	Type() AuthRequestType
+	IsValid() bool
+}
+
+type AuthRequestType int32
+
+var (
+	authRequestTypeMapping = map[AuthRequestType]Request{
+		AuthRequestTypeOIDC: &AuthRequestOIDC{},
+	}
+)
+
+const (
+	AuthRequestTypeOIDC AuthRequestType = iota
+	AuthRequestTypeSAML
+)
+
+type AuthRequestOIDC struct {
+	Scopes        []string
+	ResponseType  OIDCResponseType
+	Nonce         string
+	CodeChallenge *OIDCCodeChallenge
+}
+
+func (a *AuthRequestOIDC) Type() AuthRequestType {
+	return AuthRequestTypeOIDC
+}
+
+func (a *AuthRequestOIDC) IsValid() bool {
+	return len(a.Scopes) > 0 &&
+		a.CodeChallenge == nil || a.CodeChallenge != nil && a.CodeChallenge.IsValid()
+}
+
+type AuthRequestSAML struct {
+}
+
+func (a *AuthRequestSAML) Type() AuthRequestType {
+	return AuthRequestTypeSAML
+}
+
+func (a *AuthRequestSAML) IsValid() bool {
+	return true
+}

internal/domain/roles.go

@@ -0,0 +1,9 @@
+package domain
+
+const (
+	RoleOrgOwner           = "ORG_OWNER"
+	RoleOrgProjectCreator  = "ORG_PROJECT_CREATOR"
+	RoleIAMOwner           = "IAM_OWNER"
+	RoleProjectOwner       = "PROJECT_OWNER"
+	RoleProjectOwnerGlobal = "PROJECT_OWNER_GLOBAL"
+)

internal/domain/step.go

@@ -0,0 +1,19 @@
+package domain
+
+type Step int
+
+const (
+	Step1 Step = iota + 1
+	Step2
+	Step3
+	Step4
+	Step5
+	Step6
+	Step7
+	Step8
+	Step9
+	Step10
+	Step11
+	//StepCount marks the the length of possible steps (StepCount-1 == last possible step)
+	StepCount
+)

internal/domain/token.go

@@ -0,0 +1,28 @@
+package domain
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+	"strings"
+	"time"
+)
+
+type Token struct {
+	es_models.ObjectRoot
+
+	TokenID           string
+	ApplicationID     string
+	UserAgentID       string
+	Audience          []string
+	Expiration        time.Time
+	Scopes            []string
+	PreferredLanguage string
+}
+
+func AddAudScopeToAudience(audience, scopes []string) []string {
+	for _, scope := range scopes {
+		if strings.HasPrefix(scope, ProjectIDScope) && strings.HasSuffix(scope, AudSuffix) {
+			audience = append(audience, strings.TrimSuffix(strings.TrimPrefix(scope, ProjectIDScope), AudSuffix))
+		}
+	}
+	return audience
+}

internal/domain/unique_constraint_migration.go

@@ -0,0 +1,9 @@
+package domain
+
+type UniqueConstraintMigration struct {
+	AggregateID  string
+	ObjectID     string
+	UniqueType   string
+	UniqueField  string
+	ErrorMessage string
+}

internal/domain/user.go

@@ -0,0 +1,24 @@
+package domain
+
+type User interface {
+	GetUsername() string
+	GetState() UserState
+}
+
+type UserState int32
+
+const (
+	UserStateUnspecified UserState = iota
+	UserStateActive
+	UserStateInactive
+	UserStateDeleted
+	UserStateLocked
+	UserStateSuspend
+	UserStateInitial
+
+	userStateCount
+)
+
+func (f UserState) Valid() bool {
+	return f >= 0 && f < userStateCount
+}

internal/domain/user_grant.go

@@ -0,0 +1,26 @@
+package domain
+
+import es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+
+type UserGrant struct {
+	es_models.ObjectRoot
+
+	State          UserGrantState
+	UserID         string
+	ProjectID      string
+	ProjectGrantID string
+	RoleKeys       []string
+}
+
+type UserGrantState int32
+
+const (
+	UserGrantStateUnspecified UserGrantState = iota
+	UserGrantStateActive
+	UserGrantStateInactive
+	UserGrantStateRemoved
+)
+
+func (u *UserGrant) IsValid() bool {
+	return u.ProjectID != "" && u.UserID != ""
+}