feat: idp and login policy configurations (#619)

* feat: oidc config

* fix: oidc configurations

* feat: oidc idp config

* feat: add oidc config test

* fix: tests

* fix: tests

* feat: translate new events

* feat: idp eventstore

* feat: idp eventstore

* fix: tests

* feat: command side idp

* feat: query side idp

* feat: idp config on org

* fix: tests

* feat: authz idp on org

* feat: org idps

* feat: login policy

* feat: login policy

* feat: login policy

* feat: add idp func on login policy

* feat: add validation to loginpolicy and idp provider

* feat: add default login policy

* feat: login policy on org

* feat: login policy on org

* fix: id config handlers

* fix: id config handlers

* fix: create idp on org

* fix: create idp on org

* fix: not existing idp config

* fix: default login policy

* fix: add login policy on org

* fix: idp provider search on org

* fix: test

* fix: remove idp on org

* fix: test

* fix: test

* fix: remove admin idp

* fix: logo src as byte

* fix: migration

* fix: tests

* Update internal/iam/repository/eventsourcing/iam.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/iam/repository/eventsourcing/iam_test.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/iam/repository/eventsourcing/iam_test.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/iam/repository/eventsourcing/model/login_policy.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/iam/repository/eventsourcing/model/login_policy.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/org/repository/eventsourcing/org_test.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/iam/repository/eventsourcing/model/login_policy_test.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/iam/repository/eventsourcing/model/login_policy_test.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* fix: pr comments

* fix: tests

* Update types.go

* fix: merge request changes

* fix: reduce optimization

Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>

internal/org/repository/eventsourcing/model/idp_config.go

@@ -0,0 +1,85 @@
+package model
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/iam/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+)
+
+func (o *Org) appendAddIDPConfigEvent(event *es_models.Event) error {
+	idp := new(iam_es_model.IDPConfig)
+	err := idp.SetData(event)
+	if err != nil {
+		return err
+	}
+	idp.ObjectRoot.CreationDate = event.CreationDate
+	o.IDPs = append(o.IDPs, idp)
+	return nil
+}
+
+func (o *Org) appendChangeIDPConfigEvent(event *es_models.Event) error {
+	idp := new(iam_es_model.IDPConfig)
+	err := idp.SetData(event)
+	if err != nil {
+		return err
+	}
+	if i, idpConfig := iam_es_model.GetIDPConfig(o.IDPs, idp.IDPConfigID); idpConfig != nil {
+		o.IDPs[i].SetData(event)
+	}
+	return nil
+}
+
+func (o *Org) appendRemoveIDPConfigEvent(event *es_models.Event) error {
+	idp := new(iam_es_model.IDPConfig)
+	err := idp.SetData(event)
+	if err != nil {
+		return err
+	}
+	if i, idpConfig := iam_es_model.GetIDPConfig(o.IDPs, idp.IDPConfigID); idpConfig != nil {
+		o.IDPs[i] = o.IDPs[len(o.IDPs)-1]
+		o.IDPs[len(o.IDPs)-1] = nil
+		o.IDPs = o.IDPs[:len(o.IDPs)-1]
+	}
+	return nil
+}
+
+func (o *Org) appendIDPConfigStateEvent(event *es_models.Event, state model.IDPConfigState) error {
+	idp := new(iam_es_model.IDPConfig)
+	err := idp.SetData(event)
+	if err != nil {
+		return err
+	}
+
+	if i, idpConfig := iam_es_model.GetIDPConfig(o.IDPs, idp.IDPConfigID); idpConfig != nil {
+		idpConfig.State = int32(state)
+		o.IDPs[i] = idpConfig
+	}
+	return nil
+}
+
+func (o *Org) appendAddOIDCIDPConfigEvent(event *es_models.Event) error {
+	config := new(iam_es_model.OIDCIDPConfig)
+	err := config.SetData(event)
+	if err != nil {
+		return err
+	}
+	config.ObjectRoot.CreationDate = event.CreationDate
+	if i, idpConfig := iam_es_model.GetIDPConfig(o.IDPs, config.IDPConfigID); idpConfig != nil {
+		o.IDPs[i].Type = int32(model.IDPConfigTypeOIDC)
+		o.IDPs[i].OIDCIDPConfig = config
+	}
+	return nil
+}
+
+func (o *Org) appendChangeOIDCIDPConfigEvent(event *es_models.Event) error {
+	config := new(iam_es_model.OIDCIDPConfig)
+	err := config.SetData(event)
+	if err != nil {
+		return err
+	}
+
+	if i, idpConfig := iam_es_model.GetIDPConfig(o.IDPs, config.IDPConfigID); idpConfig != nil {
+		o.IDPs[i].OIDCIDPConfig.SetData(event)
+	}
+	return nil
+}

internal/org/repository/eventsourcing/model/idp_config_test.go

@@ -0,0 +1,252 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/iam/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"testing"
+)
+
+func TestAppendAddIdpConfigEvent(t *testing.T) {
+	type args struct {
+		org   *Org
+		idp   *iam_es_model.IDPConfig
+		event *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append add idp config event",
+			args: args{
+				org:   &Org{},
+				idp:   &iam_es_model.IDPConfig{Name: "IDPConfig"},
+				event: &es_models.Event{},
+			},
+			result: &Org{IDPs: []*iam_es_model.IDPConfig{&iam_es_model.IDPConfig{Name: "IDPConfig"}}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.idp != nil {
+				data, _ := json.Marshal(tt.args.idp)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendAddIDPConfigEvent(tt.args.event)
+			if len(tt.args.org.IDPs) != 1 {
+				t.Errorf("got wrong result should have one idpConfig actual: %v ", len(tt.args.org.IDPs))
+			}
+			if tt.args.org.IDPs[0] == tt.result.IDPs[0] {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.IDPs[0], tt.args.org.IDPs[0])
+			}
+		})
+	}
+}
+
+func TestAppendChangeIdpConfigEvent(t *testing.T) {
+	type args struct {
+		org       *Org
+		idpConfig *iam_es_model.IDPConfig
+		event     *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append change idp config event",
+			args: args{
+				org:       &Org{IDPs: []*iam_es_model.IDPConfig{&iam_es_model.IDPConfig{Name: "IDPConfig"}}},
+				idpConfig: &iam_es_model.IDPConfig{Name: "IDPConfig Change"},
+				event:     &es_models.Event{},
+			},
+			result: &Org{IDPs: []*iam_es_model.IDPConfig{&iam_es_model.IDPConfig{Name: "IDPConfig Change"}}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.idpConfig != nil {
+				data, _ := json.Marshal(tt.args.idpConfig)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendChangeIDPConfigEvent(tt.args.event)
+			if len(tt.args.org.IDPs) != 1 {
+				t.Errorf("got wrong result should have one idpConfig actual: %v ", len(tt.args.org.IDPs))
+			}
+			if tt.args.org.IDPs[0] == tt.result.IDPs[0] {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.IDPs[0], tt.args.org.IDPs[0])
+			}
+		})
+	}
+}
+
+func TestAppendRemoveIDPEvent(t *testing.T) {
+	type args struct {
+		org   *Org
+		idp   *iam_es_model.IDPConfig
+		event *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append remove idp config event",
+			args: args{
+				org:   &Org{IDPs: []*iam_es_model.IDPConfig{&iam_es_model.IDPConfig{IDPConfigID: "IDPConfigID", Name: "IDPConfig"}}},
+				idp:   &iam_es_model.IDPConfig{IDPConfigID: "IDPConfigID", Name: "IDPConfig"},
+				event: &es_models.Event{},
+			},
+			result: &Org{IDPs: []*iam_es_model.IDPConfig{}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.idp != nil {
+				data, _ := json.Marshal(tt.args.idp)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendRemoveIDPConfigEvent(tt.args.event)
+			if len(tt.args.org.IDPs) != 0 {
+				t.Errorf("got wrong result should have no apps actual: %v ", len(tt.args.org.IDPs))
+			}
+		})
+	}
+}
+
+func TestAppendAppStateEvent(t *testing.T) {
+	type args struct {
+		org   *Org
+		idp   *iam_es_model.IDPConfig
+		event *es_models.Event
+		state model.IDPConfigState
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append deactivate application event",
+			args: args{
+				org:   &Org{IDPs: []*iam_es_model.IDPConfig{&iam_es_model.IDPConfig{IDPConfigID: "IDPConfigID", Name: "IDPConfig", State: int32(model.IDPConfigStateActive)}}},
+				idp:   &iam_es_model.IDPConfig{IDPConfigID: "IDPConfigID"},
+				event: &es_models.Event{},
+				state: model.IDPConfigStateInactive,
+			},
+			result: &Org{IDPs: []*iam_es_model.IDPConfig{&iam_es_model.IDPConfig{IDPConfigID: "IDPConfigID", Name: "IDPConfig", State: int32(model.IDPConfigStateInactive)}}},
+		},
+		{
+			name: "append reactivate application event",
+			args: args{
+				org:   &Org{IDPs: []*iam_es_model.IDPConfig{&iam_es_model.IDPConfig{IDPConfigID: "IDPConfigID", Name: "IDPConfig", State: int32(model.IDPConfigStateInactive)}}},
+				idp:   &iam_es_model.IDPConfig{IDPConfigID: "IDPConfigID"},
+				event: &es_models.Event{},
+				state: model.IDPConfigStateActive,
+			},
+			result: &Org{IDPs: []*iam_es_model.IDPConfig{&iam_es_model.IDPConfig{IDPConfigID: "IDPConfigID", Name: "IDPConfig", State: int32(model.IDPConfigStateActive)}}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.idp != nil {
+				data, _ := json.Marshal(tt.args.idp)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendIDPConfigStateEvent(tt.args.event, tt.args.state)
+			if len(tt.args.org.IDPs) != 1 {
+				t.Errorf("got wrong result should have one idpConfig actual: %v ", len(tt.args.org.IDPs))
+			}
+			if tt.args.org.IDPs[0] == tt.result.IDPs[0] {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.IDPs[0], tt.args.org.IDPs[0])
+			}
+		})
+	}
+}
+
+func TestAppendAddOIDCIdpConfigEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		config *iam_es_model.OIDCIDPConfig
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append add oidc idp config event",
+			args: args{
+				org:    &Org{IDPs: []*iam_es_model.IDPConfig{&iam_es_model.IDPConfig{IDPConfigID: "IDPConfigID"}}},
+				config: &iam_es_model.OIDCIDPConfig{IDPConfigID: "IDPConfigID", ClientID: "ClientID"},
+				event:  &es_models.Event{},
+			},
+			result: &Org{IDPs: []*iam_es_model.IDPConfig{&iam_es_model.IDPConfig{IDPConfigID: "IDPConfigID", OIDCIDPConfig: &iam_es_model.OIDCIDPConfig{IDPConfigID: "IDPConfigID", ClientID: "ClientID"}}}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.config != nil {
+				data, _ := json.Marshal(tt.args.config)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendAddOIDCIDPConfigEvent(tt.args.event)
+			if len(tt.args.org.IDPs) != 1 {
+				t.Errorf("got wrong result should have one idpConfig actual: %v ", len(tt.args.org.IDPs))
+			}
+			if tt.args.org.IDPs[0].OIDCIDPConfig == nil {
+				t.Errorf("got wrong result should have oidc config actual: %v ", tt.args.org.IDPs[0].OIDCIDPConfig)
+			}
+			if tt.args.org.IDPs[0] == tt.result.IDPs[0] {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.IDPs[0], tt.args.org.IDPs[0])
+			}
+		})
+	}
+}
+
+func TestAppendChangeOIDCIdpConfigEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		config *iam_es_model.OIDCIDPConfig
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append change oidc idp config event",
+			args: args{
+				org:    &Org{IDPs: []*iam_es_model.IDPConfig{&iam_es_model.IDPConfig{IDPConfigID: "IDPConfigID", OIDCIDPConfig: &iam_es_model.OIDCIDPConfig{IDPConfigID: "IDPConfigID", ClientID: "ClientID"}}}},
+				config: &iam_es_model.OIDCIDPConfig{IDPConfigID: "IDPConfigID", ClientID: "ClientID Changed"},
+				event:  &es_models.Event{},
+			},
+			result: &Org{IDPs: []*iam_es_model.IDPConfig{&iam_es_model.IDPConfig{IDPConfigID: "IDPConfigID", OIDCIDPConfig: &iam_es_model.OIDCIDPConfig{IDPConfigID: "IDPConfigID", ClientID: "ClientID Changed"}}}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.config != nil {
+				data, _ := json.Marshal(tt.args.config)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendChangeOIDCIDPConfigEvent(tt.args.event)
+			if len(tt.args.org.IDPs) != 1 {
+				t.Errorf("got wrong result should have one idpConfig actual: %v ", len(tt.args.org.IDPs))
+			}
+			if tt.args.org.IDPs[0].OIDCIDPConfig == nil {
+				t.Errorf("got wrong result should have oidc config actual: %v ", tt.args.org.IDPs[0].OIDCIDPConfig)
+			}
+			if tt.args.org.IDPs[0] == tt.result.IDPs[0] {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.IDPs[0], tt.args.org.IDPs[0])
+			}
+		})
+	}
+}

internal/org/repository/eventsourcing/model/login_policy.go

@@ -0,0 +1,49 @@
+package model
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+)
+
+func (o *Org) appendAddLoginPolicyEvent(event *es_models.Event) error {
+	o.LoginPolicy = new(iam_es_model.LoginPolicy)
+	err := o.LoginPolicy.SetData(event)
+	if err != nil {
+		return err
+	}
+	o.LoginPolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (o *Org) appendChangeLoginPolicyEvent(event *es_models.Event) error {
+	return o.LoginPolicy.SetData(event)
+}
+
+func (o *Org) appendRemoveLoginPolicyEvent(event *es_models.Event) {
+	o.LoginPolicy = nil
+}
+
+func (o *Org) appendAddIdpProviderToLoginPolicyEvent(event *es_models.Event) error {
+	provider := &iam_es_model.IDPProvider{}
+	err := provider.SetData(event)
+	if err != nil {
+		return err
+	}
+	provider.ObjectRoot.CreationDate = event.CreationDate
+	o.LoginPolicy.IDPProviders = append(o.LoginPolicy.IDPProviders, provider)
+	return nil
+}
+
+func (o *Org) appendRemoveIdpProviderFromLoginPolicyEvent(event *es_models.Event) error {
+	provider := &iam_es_model.IDPProvider{}
+	err := provider.SetData(event)
+	if err != nil {
+		return err
+	}
+	if i, m := iam_es_model.GetIDPProvider(o.LoginPolicy.IDPProviders, provider.IDPConfigID); m != nil {
+		o.LoginPolicy.IDPProviders[i] = o.LoginPolicy.IDPProviders[len(o.LoginPolicy.IDPProviders)-1]
+		o.LoginPolicy.IDPProviders[len(o.LoginPolicy.IDPProviders)-1] = nil
+		o.LoginPolicy.IDPProviders = o.LoginPolicy.IDPProviders[:len(o.LoginPolicy.IDPProviders)-1]
+	}
+	return nil
+}

internal/org/repository/eventsourcing/model/login_policy_test.go

@@ -0,0 +1,210 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"testing"
+)
+
+func TestAppendAddLoginPolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.LoginPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append add login policy event",
+			args: args{
+				org:    &Org{},
+				policy: &iam_es_model.LoginPolicy{AllowUsernamePassword: true, AllowRegister: true, AllowExternalIdp: true},
+				event:  &es_models.Event{},
+			},
+			result: &Org{LoginPolicy: &iam_es_model.LoginPolicy{AllowUsernamePassword: true, AllowRegister: true, AllowExternalIdp: true}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendAddLoginPolicyEvent(tt.args.event)
+			if tt.result.LoginPolicy.AllowUsernamePassword != tt.args.org.LoginPolicy.AllowUsernamePassword {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.LoginPolicy.AllowUsernamePassword, tt.args.org.LoginPolicy.AllowUsernamePassword)
+			}
+			if tt.result.LoginPolicy.AllowRegister != tt.args.org.LoginPolicy.AllowRegister {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.LoginPolicy.AllowRegister, tt.args.org.LoginPolicy.AllowRegister)
+			}
+			if tt.result.LoginPolicy.AllowExternalIdp != tt.args.org.LoginPolicy.AllowExternalIdp {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.LoginPolicy.AllowExternalIdp, tt.args.org.LoginPolicy.AllowExternalIdp)
+			}
+		})
+	}
+}
+
+func TestAppendChangeLoginPolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.LoginPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append change login policy event",
+			args: args{
+				org: &Org{LoginPolicy: &iam_es_model.LoginPolicy{
+					AllowExternalIdp:      false,
+					AllowRegister:         false,
+					AllowUsernamePassword: false,
+				}},
+				policy: &iam_es_model.LoginPolicy{AllowUsernamePassword: true, AllowRegister: true, AllowExternalIdp: true},
+				event:  &es_models.Event{},
+			},
+			result: &Org{LoginPolicy: &iam_es_model.LoginPolicy{
+				AllowExternalIdp:      true,
+				AllowRegister:         true,
+				AllowUsernamePassword: true,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendChangeLoginPolicyEvent(tt.args.event)
+			if tt.result.LoginPolicy.AllowUsernamePassword != tt.args.org.LoginPolicy.AllowUsernamePassword {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.LoginPolicy.AllowUsernamePassword, tt.args.org.LoginPolicy.AllowUsernamePassword)
+			}
+			if tt.result.LoginPolicy.AllowRegister != tt.args.org.LoginPolicy.AllowRegister {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.LoginPolicy.AllowRegister, tt.args.org.LoginPolicy.AllowRegister)
+			}
+			if tt.result.LoginPolicy.AllowExternalIdp != tt.args.org.LoginPolicy.AllowExternalIdp {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.LoginPolicy.AllowExternalIdp, tt.args.org.LoginPolicy.AllowExternalIdp)
+			}
+		})
+	}
+}
+
+func TestAppendAddIdpToPolicyEvent(t *testing.T) {
+	type args struct {
+		org      *Org
+		provider *iam_es_model.IDPProvider
+		event    *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append add idp to login policy event",
+			args: args{
+				org:      &Org{LoginPolicy: &iam_es_model.LoginPolicy{AllowExternalIdp: true, AllowRegister: true, AllowUsernamePassword: true}},
+				provider: &iam_es_model.IDPProvider{Type: int32(iam_model.IDPProviderTypeSystem), IDPConfigID: "IDPConfigID"},
+				event:    &es_models.Event{},
+			},
+			result: &Org{LoginPolicy: &iam_es_model.LoginPolicy{
+				AllowExternalIdp:      true,
+				AllowRegister:         true,
+				AllowUsernamePassword: true,
+				IDPProviders: []*iam_es_model.IDPProvider{
+					{IDPConfigID: "IDPConfigID", Type: int32(iam_model.IDPProviderTypeSystem)},
+				}}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.provider != nil {
+				data, _ := json.Marshal(tt.args.provider)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendAddIdpProviderToLoginPolicyEvent(tt.args.event)
+			if tt.result.LoginPolicy.AllowUsernamePassword != tt.args.org.LoginPolicy.AllowUsernamePassword {
+				t.Errorf("got wrong result AllowUsernamePassword: expected: %v, actual: %v ", tt.result.LoginPolicy.AllowUsernamePassword, tt.args.org.LoginPolicy.AllowUsernamePassword)
+			}
+			if tt.result.LoginPolicy.AllowRegister != tt.args.org.LoginPolicy.AllowRegister {
+				t.Errorf("got wrong result AllowRegister: expected: %v, actual: %v ", tt.result.LoginPolicy.AllowRegister, tt.args.org.LoginPolicy.AllowRegister)
+			}
+			if tt.result.LoginPolicy.AllowExternalIdp != tt.args.org.LoginPolicy.AllowExternalIdp {
+				t.Errorf("got wrong result AllowExternalIDP: expected: %v, actual: %v ", tt.result.LoginPolicy.AllowExternalIdp, tt.args.org.LoginPolicy.AllowExternalIdp)
+			}
+			if len(tt.result.LoginPolicy.IDPProviders) != len(tt.args.org.LoginPolicy.IDPProviders) {
+				t.Errorf("got wrong idp provider len: expected: %v, actual: %v ", len(tt.result.LoginPolicy.IDPProviders), len(tt.args.org.LoginPolicy.IDPProviders))
+			}
+			if tt.result.LoginPolicy.IDPProviders[0].Type != tt.args.provider.Type {
+				t.Errorf("got wrong idp provider type: expected: %v, actual: %v ", tt.result.LoginPolicy.IDPProviders[0].Type, tt.args.provider.Type)
+			}
+			if tt.result.LoginPolicy.IDPProviders[0].IDPConfigID != tt.args.provider.IDPConfigID {
+				t.Errorf("got wrong idp provider idpconfigid: expected: %v, actual: %v ", tt.result.LoginPolicy.IDPProviders[0].IDPConfigID, tt.args.provider.IDPConfigID)
+			}
+		})
+	}
+}
+
+func TestRemoveAddIdpToPolicyEvent(t *testing.T) {
+	type args struct {
+		org      *Org
+		provider *iam_es_model.IDPProvider
+		event    *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append add idp to login policy event",
+			args: args{
+				org: &Org{
+					LoginPolicy: &iam_es_model.LoginPolicy{
+						AllowExternalIdp:      true,
+						AllowRegister:         true,
+						AllowUsernamePassword: true,
+						IDPProviders: []*iam_es_model.IDPProvider{
+							{IDPConfigID: "IDPConfigID", Type: int32(iam_model.IDPProviderTypeSystem)},
+						}}},
+				provider: &iam_es_model.IDPProvider{Type: int32(iam_model.IDPProviderTypeSystem), IDPConfigID: "IDPConfigID"},
+				event:    &es_models.Event{},
+			},
+			result: &Org{LoginPolicy: &iam_es_model.LoginPolicy{
+				AllowExternalIdp:      true,
+				AllowRegister:         true,
+				AllowUsernamePassword: true,
+				IDPProviders:          []*iam_es_model.IDPProvider{}}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.provider != nil {
+				data, _ := json.Marshal(tt.args.provider)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendRemoveIdpProviderFromLoginPolicyEvent(tt.args.event)
+			if tt.result.LoginPolicy.AllowUsernamePassword != tt.args.org.LoginPolicy.AllowUsernamePassword {
+				t.Errorf("got wrong result AllowUsernamePassword: expected: %v, actual: %v ", tt.result.LoginPolicy.AllowUsernamePassword, tt.args.org.LoginPolicy.AllowUsernamePassword)
+			}
+			if tt.result.LoginPolicy.AllowRegister != tt.args.org.LoginPolicy.AllowRegister {
+				t.Errorf("got wrong result AllowRegister: expected: %v, actual: %v ", tt.result.LoginPolicy.AllowRegister, tt.args.org.LoginPolicy.AllowRegister)
+			}
+			if tt.result.LoginPolicy.AllowExternalIdp != tt.args.org.LoginPolicy.AllowExternalIdp {
+				t.Errorf("got wrong result AllowExternalIDP: expected: %v, actual: %v ", tt.result.LoginPolicy.AllowExternalIdp, tt.args.org.LoginPolicy.AllowExternalIdp)
+			}
+			if len(tt.result.LoginPolicy.IDPProviders) != len(tt.args.org.LoginPolicy.IDPProviders) {
+				t.Errorf("got wrong idp provider len: expected: %v, actual: %v ", len(tt.result.LoginPolicy.IDPProviders), len(tt.args.org.LoginPolicy.IDPProviders))
+			}
+		})
+	}
+}

internal/org/repository/eventsourcing/model/org.go

@@ -2,6 +2,8 @@ package model
 
 import (
 	"encoding/json"
+	"github.com/caos/zitadel/internal/iam/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
 
 	"github.com/caos/zitadel/internal/errors"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
@@ -18,23 +20,30 @@ type Org struct {
 	Name  string `json:"name,omitempty"`
 	State int32  `json:"-"`
 
-	Domains      []*OrgDomain  `json:"-"`
-	Members      []*OrgMember  `json:"-"`
-	OrgIamPolicy *OrgIamPolicy `json:"-"`
+	Domains      []*OrgDomain              `json:"-"`
+	Members      []*OrgMember              `json:"-"`
+	OrgIamPolicy *OrgIAMPolicy             `json:"-"`
+	LoginPolicy  *iam_es_model.LoginPolicy `json:"-"`
+	IDPs         []*iam_es_model.IDPConfig `json:"-"`
 }
 
 func OrgFromModel(org *org_model.Org) *Org {
 	members := OrgMembersFromModel(org.Members)
 	domains := OrgDomainsFromModel(org.Domains)
+	idps := iam_es_model.IDPConfigsFromModel(org.IDPs)
 	converted := &Org{
 		ObjectRoot: org.ObjectRoot,
 		Name:       org.Name,
 		State:      int32(org.State),
 		Domains:    domains,
 		Members:    members,
+		IDPs:       idps,
 	}
 	if org.OrgIamPolicy != nil {
-		converted.OrgIamPolicy = OrgIamPolicyFromModel(org.OrgIamPolicy)
+		converted.OrgIamPolicy = OrgIAMPolicyFromModel(org.OrgIamPolicy)
+	}
+	if org.LoginPolicy != nil {
+		converted.LoginPolicy = iam_es_model.LoginPolicyFromModel(org.LoginPolicy)
 	}
 	return converted
 }
@@ -46,9 +55,13 @@ func OrgToModel(org *Org) *org_model.Org {
 		State:      org_model.OrgState(org.State),
 		Domains:    OrgDomainsToModel(org.Domains),
 		Members:    OrgMembersToModel(org.Members),
+		IDPs:       iam_es_model.IDPConfigsToModel(org.IDPs),
 	}
 	if org.OrgIamPolicy != nil {
-		converted.OrgIamPolicy = OrgIamPolicyToModel(org.OrgIamPolicy)
+		converted.OrgIamPolicy = OrgIAMPolicyToModel(org.OrgIamPolicy)
+	}
+	if org.LoginPolicy != nil {
+		converted.LoginPolicy = iam_es_model.LoginPolicyToModel(org.LoginPolicy)
 	}
 	return converted
 }
@@ -71,16 +84,16 @@ func (o *Org) AppendEvents(events ...*es_models.Event) error {
 	return nil
 }
 
-func (o *Org) AppendEvent(event *es_models.Event) error {
+func (o *Org) AppendEvent(event *es_models.Event) (err error) {
 	switch event.Type {
 	case OrgAdded:
 		*o = Org{}
-		err := o.setData(event)
+		err = o.setData(event)
 		if err != nil {
 			return err
 		}
 	case OrgChanged:
-		err := o.setData(event)
+		err = o.setData(event)
 		if err != nil {
 			return err
 		}
@@ -112,25 +125,50 @@ func (o *Org) AppendEvent(event *es_models.Event) error {
 		}
 		o.removeMember(member.UserID)
 	case OrgDomainAdded:
-		o.appendAddDomainEvent(event)
+		err = o.appendAddDomainEvent(event)
 	case OrgDomainVerificationAdded:
-		o.appendVerificationDomainEvent(event)
+		err = o.appendVerificationDomainEvent(event)
 	case OrgDomainVerified:
-		o.appendVerifyDomainEvent(event)
+		err = o.appendVerifyDomainEvent(event)
 	case OrgDomainPrimarySet:
-		o.appendPrimaryDomainEvent(event)
+		err = o.appendPrimaryDomainEvent(event)
 	case OrgDomainRemoved:
-		o.appendRemoveDomainEvent(event)
-	case OrgIamPolicyAdded:
-		o.appendAddOrgIamPolicyEvent(event)
-	case OrgIamPolicyChanged:
-		o.appendChangeOrgIamPolicyEvent(event)
-	case OrgIamPolicyRemoved:
-		o.appendRemoveOrgIamPolicyEvent()
+		err = o.appendRemoveDomainEvent(event)
+	case OrgIAMPolicyAdded:
+		err = o.appendAddOrgIAMPolicyEvent(event)
+	case OrgIAMPolicyChanged:
+		err = o.appendChangeOrgIAMPolicyEvent(event)
+	case OrgIAMPolicyRemoved:
+		o.appendRemoveOrgIAMPolicyEvent()
+	case IDPConfigAdded:
+		err = o.appendAddIDPConfigEvent(event)
+	case IDPConfigChanged:
+		err = o.appendChangeIDPConfigEvent(event)
+	case IDPConfigRemoved:
+		err = o.appendRemoveIDPConfigEvent(event)
+	case IDPConfigDeactivated:
+		err = o.appendIDPConfigStateEvent(event, model.IDPConfigStateInactive)
+	case IDPConfigReactivated:
+		err = o.appendIDPConfigStateEvent(event, model.IDPConfigStateActive)
+	case OIDCIDPConfigAdded:
+		err = o.appendAddOIDCIDPConfigEvent(event)
+	case OIDCIDPConfigChanged:
+		err = o.appendChangeOIDCIDPConfigEvent(event)
+	case LoginPolicyAdded:
+		err = o.appendAddLoginPolicyEvent(event)
+	case LoginPolicyChanged:
+		err = o.appendChangeLoginPolicyEvent(event)
+	case LoginPolicyRemoved:
+		o.appendRemoveLoginPolicyEvent(event)
+	case LoginPolicyIDPProviderAdded:
+		err = o.appendAddIdpProviderToLoginPolicyEvent(event)
+	case LoginPolicyIDPProviderRemoved:
+		err = o.appendRemoveIdpProviderFromLoginPolicyEvent(event)
+	}
+	if err != nil {
+		return err
 	}
-
 	o.ObjectRoot.AppendEvent(event)
-
 	return nil
 }
 

internal/org/repository/eventsourcing/model/org_iam_policy.go

@@ -8,7 +8,7 @@ import (
 	org_model "github.com/caos/zitadel/internal/org/model"
 )
 
-type OrgIamPolicy struct {
+type OrgIAMPolicy struct {
 	models.ObjectRoot
 
 	Description           string `json:"description,omitempty"`
@@ -16,24 +16,24 @@ type OrgIamPolicy struct {
 	UserLoginMustBeDomain bool   `json:"userLoginMustBeDomain"`
 }
 
-func OrgIamPolicyToModel(policy *OrgIamPolicy) *org_model.OrgIamPolicy {
-	return &org_model.OrgIamPolicy{
+func OrgIAMPolicyToModel(policy *OrgIAMPolicy) *org_model.OrgIAMPolicy {
+	return &org_model.OrgIAMPolicy{
 		ObjectRoot:            policy.ObjectRoot,
 		State:                 org_model.PolicyState(policy.State),
 		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
 	}
 }
 
-func OrgIamPolicyFromModel(policy *org_model.OrgIamPolicy) *OrgIamPolicy {
-	return &OrgIamPolicy{
+func OrgIAMPolicyFromModel(policy *org_model.OrgIAMPolicy) *OrgIAMPolicy {
+	return &OrgIAMPolicy{
 		ObjectRoot:            policy.ObjectRoot,
 		State:                 int32(policy.State),
 		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
 	}
 }
 
-func (o *Org) appendAddOrgIamPolicyEvent(event *es_models.Event) error {
-	o.OrgIamPolicy = new(OrgIamPolicy)
+func (o *Org) appendAddOrgIAMPolicyEvent(event *es_models.Event) error {
+	o.OrgIamPolicy = new(OrgIAMPolicy)
 	err := o.OrgIamPolicy.SetData(event)
 	if err != nil {
 		return err
@@ -42,15 +42,15 @@ func (o *Org) appendAddOrgIamPolicyEvent(event *es_models.Event) error {
 	return nil
 }
 
-func (o *Org) appendChangeOrgIamPolicyEvent(event *es_models.Event) error {
+func (o *Org) appendChangeOrgIAMPolicyEvent(event *es_models.Event) error {
 	return o.OrgIamPolicy.SetData(event)
 }
 
-func (o *Org) appendRemoveOrgIamPolicyEvent() {
+func (o *Org) appendRemoveOrgIAMPolicyEvent() {
 	o.OrgIamPolicy = nil
 }
 
-func (p *OrgIamPolicy) Changes(changed *OrgIamPolicy) map[string]interface{} {
+func (p *OrgIAMPolicy) Changes(changed *OrgIAMPolicy) map[string]interface{} {
 	changes := make(map[string]interface{}, 2)
 
 	if changed.Description != p.Description {
@@ -63,7 +63,7 @@ func (p *OrgIamPolicy) Changes(changed *OrgIamPolicy) map[string]interface{} {
 	return changes
 }
 
-func (p *OrgIamPolicy) SetData(event *es_models.Event) error {
+func (p *OrgIAMPolicy) SetData(event *es_models.Event) error {
 	err := json.Unmarshal(event.Data, p)
 	if err != nil {
 		return errors.ThrowInternal(err, "EVENT-7JS9d", "unable to unmarshal data")

internal/org/repository/eventsourcing/model/org_test.go

@@ -93,13 +93,6 @@ func TestAppendEvent(t *testing.T) {
 			},
 			result: &Org{ObjectRoot: es_models.ObjectRoot{AggregateID: "ID"}, State: int32(model.OrgStateActive)},
 		},
-		{
-			name: "append added domain event",
-			args: args{
-				event: &es_models.Event{AggregateID: "ID", Sequence: 1, Type: OrgDomainAdded},
-			},
-			result: &Org{ObjectRoot: es_models.ObjectRoot{AggregateID: "ID"}, State: int32(model.OrgStateActive)},
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

internal/org/repository/eventsourcing/model/types.go

@@ -29,7 +29,26 @@ const (
 	OrgMemberChanged models.EventType = "org.member.changed"
 	OrgMemberRemoved models.EventType = "org.member.removed"
 
-	OrgIamPolicyAdded   models.EventType = "org.iam.policy.added"
-	OrgIamPolicyChanged models.EventType = "org.iam.policy.changed"
-	OrgIamPolicyRemoved models.EventType = "org.iam.policy.removed"
+	OrgIAMPolicyAdded   models.EventType = "org.iam.policy.added"
+	OrgIAMPolicyChanged models.EventType = "org.iam.policy.changed"
+	OrgIAMPolicyRemoved models.EventType = "org.iam.policy.removed"
+
+	IDPConfigAdded       models.EventType = "org.idp.config.added"
+	IDPConfigChanged     models.EventType = "org.idp.config.changed"
+	IDPConfigRemoved     models.EventType = "org.idp.config.removed"
+	IDPConfigDeactivated models.EventType = "org.idp.config.deactivated"
+	IDPConfigReactivated models.EventType = "org.idp.config.reactivated"
+
+	OIDCIDPConfigAdded   models.EventType = "org.idp.oidc.config.added"
+	OIDCIDPConfigChanged models.EventType = "org.idp.oidc.config.changed"
+
+	SAMLIDPConfigAdded   models.EventType = "org.idp.saml.config.added"
+	SAMLIDPConfigChanged models.EventType = "org.idp.saml.config.changed"
+
+	LoginPolicyAdded                     models.EventType = "org.policy.login.added"
+	LoginPolicyChanged                   models.EventType = "org.policy.login.changed"
+	LoginPolicyRemoved                   models.EventType = "org.policy.login.removed"
+	LoginPolicyIDPProviderAdded          models.EventType = "org.policy.login.idpprovider.added"
+	LoginPolicyIDPProviderRemoved        models.EventType = "org.policy.login.idpprovider.removed"
+	LoginPolicyIDPProviderCascadeRemoved models.EventType = "org.policy.login.idpprovider.cascade.removed"
 )