fix: setup instance with human an machine user at creation (#7997)

# Which Problems Are Solved Currently on instance setup there is only a possibility to either use a human or a machine user and not both at creation. # How the Problems Are Solved The logic in the instance setup is refactored and changed so there is not an exclusion. # Additional Changes Refactoring, so that unit testing is possible to add for the different elements of an instance setup. # Additional Context Closes #6430
2025-05-28 12:48:21 +00:00 · 2024-05-23 12:28:46 +02:00 · 2024-05-23 12:28:46 +02:00 · e58869c090
commit e58869c090
parent cfa3d013a4
7 changed files with 1393 additions and 279 deletions
--- a/internal/command/command.go
+++ b/internal/command/command.go
@ -82,6 +82,8 @@ type Commands struct {
 	ActionFunctionExisting func(function string) bool
 	EventExisting          func(event string) bool
 	EventGroupExisting     func(group string) bool
+
+	GenerateDomain func(instanceName, domain string) (string, error)
 }

 func StartCommands(
@ -168,6 +170,7 @@ func StartCommands(
 				Issuer:    defaults.Multifactors.OTP.Issuer,
 			},
 		},
+		GenerateDomain: domain.NewGeneratedInstanceDomain,
 	}

 	if defaultSecretGenerators != nil && defaultSecretGenerators.ClientSecret != nil {
--- a/internal/command/instance.go
+++ b/internal/command/instance.go
@ -142,6 +142,8 @@ type SecretGenerators struct {
 }

 type ZitadelConfig struct {
+	instanceID     string
+	orgID          string
 	projectID      string
 	mgmtAppID      string
 	adminAppID     string
@ -152,6 +154,16 @@ type ZitadelConfig struct {
 }

 func (s *InstanceSetup) generateIDs(idGenerator id.Generator) (err error) {
+	s.zitadel.instanceID, err = idGenerator.Next()
+	if err != nil {
+		return err
+	}
+
+	s.zitadel.orgID, err = idGenerator.Next()
+	if err != nil {
+		return err
+	}
+
 	s.zitadel.projectID, err = idGenerator.Next()
 	if err != nil {
 		return err
@ -185,36 +197,88 @@ func (s *InstanceSetup) generateIDs(idGenerator id.Generator) (err error) {
 }

 func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup) (string, string, *MachineKey, *domain.ObjectDetails, error) {
-	instanceID, err := c.idGenerator.Next()
+	if err := setup.generateIDs(c.idGenerator); err != nil {
+		return "", "", nil, nil, err
+	}
+	ctx = contextWithInstanceSetupInfo(ctx, setup.zitadel.instanceID, setup.zitadel.projectID, setup.zitadel.consoleAppID, c.externalDomain)
+
+	validations, pat, machineKey, err := setUpInstance(ctx, c, setup)
 	if err != nil {
 		return "", "", nil, nil, err
 	}

-	ctx = authz.SetCtxData(authz.WithRequestedDomain(authz.WithInstanceID(ctx, instanceID), c.externalDomain), authz.CtxData{OrgID: instanceID, ResourceOwner: instanceID})
-
-	orgID, err := c.idGenerator.Next()
+	//nolint:staticcheck
+	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validations...)
 	if err != nil {
 		return "", "", nil, nil, err
 	}

-	userID, err := c.idGenerator.Next()
+	events, err := c.eventstore.Push(ctx, cmds...)
 	if err != nil {
 		return "", "", nil, nil, err
 	}

-	if err = setup.generateIDs(c.idGenerator); err != nil {
-		return "", "", nil, nil, err
+	var token string
+	if pat != nil {
+		token = pat.Token
 	}
-	ctx = authz.WithConsole(ctx, setup.zitadel.projectID, setup.zitadel.consoleAppID)

-	instanceAgg := instance.NewAggregate(instanceID)
-	orgAgg := org.NewAggregate(orgID)
-	userAgg := user.NewAggregate(userID, orgID)
-	projectAgg := project.NewAggregate(setup.zitadel.projectID, orgID)
-	limitsAgg := limits.NewAggregate(setup.zitadel.limitsID, instanceID)
-	restrictionsAgg := restrictions.NewAggregate(setup.zitadel.restrictionsID, instanceID, instanceID)
+	return setup.zitadel.instanceID, token, machineKey, &domain.ObjectDetails{
+		Sequence:      events[len(events)-1].Sequence(),
+		EventDate:     events[len(events)-1].CreatedAt(),
+		ResourceOwner: setup.zitadel.orgID,
+	}, nil
+}

-	validations := []preparation.Validation{
+func contextWithInstanceSetupInfo(ctx context.Context, instanceID, projectID, consoleAppID, externalDomain string) context.Context {
+	return authz.WithConsole(
+		authz.SetCtxData(
+			authz.WithRequestedDomain(
+				authz.WithInstanceID(
+					ctx,
+					instanceID),
+				externalDomain,
+			),
+			authz.CtxData{ResourceOwner: instanceID},
+		),
+		projectID,
+		consoleAppID,
+	)
+}
+
+func setUpInstance(ctx context.Context, c *Commands, setup *InstanceSetup) (validations []preparation.Validation, pat *PersonalAccessToken, machineKey *MachineKey, err error) {
+	instanceAgg := instance.NewAggregate(setup.zitadel.instanceID)
+
+	validations = setupInstanceElements(instanceAgg, setup)
+
+	// default organization on setup'd instance
+	pat, machineKey, err = setupDefaultOrg(ctx, c, &validations, instanceAgg, setup.Org.Name, setup.Org.Machine, setup.Org.Human, setup.zitadel)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	// domains
+	if err := setupGeneratedDomain(ctx, c, &validations, instanceAgg, setup.InstanceName); err != nil {
+		return nil, nil, nil, err
+	}
+	setupCustomDomain(c, &validations, instanceAgg, setup.CustomDomain)
+
+	// optional setting if set
+	setupMessageTexts(&validations, setup.MessageTexts, instanceAgg)
+	if err := setupQuotas(c, &validations, setup.Quotas, setup.zitadel.instanceID); err != nil {
+		return nil, nil, nil, err
+	}
+	setupSMTPSettings(c, &validations, setup.SMTPConfiguration, instanceAgg)
+	setupOIDCSettings(c, &validations, setup.OIDCSettings, instanceAgg)
+	setupFeatures(&validations, setup.Features, setup.zitadel.instanceID)
+	setupLimits(c, &validations, limits.NewAggregate(setup.zitadel.limitsID, setup.zitadel.instanceID), setup.Limits)
+	setupRestrictions(c, &validations, restrictions.NewAggregate(setup.zitadel.restrictionsID, setup.zitadel.instanceID, setup.zitadel.instanceID), setup.Restrictions)
+
+	return validations, pat, machineKey, nil
+}
+
+func setupInstanceElements(instanceAgg *instance.Aggregate, setup *InstanceSetup) []preparation.Validation {
+	return []preparation.Validation{
 		prepareAddInstance(instanceAgg, setup.InstanceName, setup.DefaultLanguage),
 		prepareAddSecretGeneratorConfig(instanceAgg, domain.SecretGeneratorTypeAppSecret, setup.SecretGenerators.ClientSecret),
 		prepareAddSecretGeneratorConfig(instanceAgg, domain.SecretGeneratorTypeInitCode, setup.SecretGenerators.InitializeUserCode),
@ -292,54 +356,8 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup) (str
 			setup.LabelPolicy.DisableWatermark,
 			setup.LabelPolicy.ThemeMode,
 		),
-		prepareActivateDefaultLabelPolicy(instanceAgg),
-
 		prepareAddDefaultEmailTemplate(instanceAgg, setup.EmailTemplate),
 	}
-	if err := setupQuotas(c, &validations, setup.Quotas, instanceID); err != nil {
-		return "", "", nil, nil, err
-	}
-	setupMessageTexts(&validations, setup.MessageTexts, instanceAgg)
-	validations = append(validations,
-		AddOrgCommand(ctx, orgAgg, setup.Org.Name),
-		c.prepareSetDefaultOrg(instanceAgg, orgAgg.ID),
-	)
-	pat, machineKey, err := setupAdmin(c, &validations, setup.Org.Machine, setup.Org.Human, orgID, userID, userAgg)
-	if err != nil {
-		return "", "", nil, nil, err
-	}
-	setupMinimalInterfaces(c, &validations, instanceAgg, projectAgg, orgAgg, userID, setup.zitadel)
-	if err := setupGeneratedDomain(ctx, c, &validations, instanceAgg, setup.InstanceName); err != nil {
-		return "", "", nil, nil, err
-	}
-	setupCustomDomain(c, &validations, instanceAgg, setup.CustomDomain)
-	setupSMTPSettings(c, &validations, setup.SMTPConfiguration, instanceAgg)
-	setupOIDCSettings(c, &validations, setup.OIDCSettings, instanceAgg)
-	setupFeatures(&validations, setup.Features, instanceID)
-	setupLimits(c, &validations, limitsAgg, setup.Limits)
-	setupRestrictions(c, &validations, restrictionsAgg, setup.Restrictions)
-
-	//nolint:staticcheck
-	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validations...)
-	if err != nil {
-		return "", "", nil, nil, err
-	}
-
-	events, err := c.eventstore.Push(ctx, cmds...)
-	if err != nil {
-		return "", "", nil, nil, err
-	}
-
-	var token string
-	if pat != nil {
-		token = pat.Token
-	}
-
-	return instanceID, token, machineKey, &domain.ObjectDetails{
-		Sequence:      events[len(events)-1].Sequence(),
-		EventDate:     events[len(events)-1].CreatedAt(),
-		ResourceOwner: orgID,
-	}, nil
 }

 func setupLimits(commands *Commands, validations *[]preparation.Validation, limitsAgg *limits.Aggregate, setLimits *SetLimits) {
@ -369,7 +387,9 @@ func setupQuotas(commands *Commands, validations *[]preparation.Validation, setQ
 }

 func setupFeatures(validations *[]preparation.Validation, features *InstanceFeatures, instanceID string) {
-	*validations = append(*validations, prepareSetFeatures(instanceID, features))
+	if features != nil {
+		*validations = append(*validations, prepareSetFeatures(instanceID, features))
+	}
 }

 func setupOIDCSettings(commands *Commands, validations *[]preparation.Validation, oidcSettings *OIDCSettings, instanceAgg *instance.Aggregate) {
@ -425,7 +445,9 @@ func setupGeneratedDomain(ctx context.Context, commands *Commands, validations *
 	return nil
 }

-func setupMinimalInterfaces(commands *Commands, validations *[]preparation.Validation, instanceAgg *instance.Aggregate, projectAgg *project.Aggregate, orgAgg *org.Aggregate, userID string, ids ZitadelConfig) {
+func setupMinimalInterfaces(commands *Commands, validations *[]preparation.Validation, instanceAgg *instance.Aggregate, orgAgg *org.Aggregate, projectOwner string, ids ZitadelConfig) {
+	projectAgg := project.NewAggregate(ids.projectID, orgAgg.ID)
+
 	cnsl := &addOIDCApp{
 		AddApp: AddApp{
 			Aggregate: *projectAgg,
@ -446,10 +468,9 @@ func setupMinimalInterfaces(commands *Commands, validations *[]preparation.Valid
 		IDTokenUserinfoAssertion: false,
 		ClockSkew:                0,
 	}
+
 	*validations = append(*validations,
-		commands.AddOrgMemberCommand(orgAgg, userID, domain.RoleOrgOwner),
-		commands.AddInstanceMemberCommand(instanceAgg, userID, domain.RoleIAMOwner),
-		AddProjectCommand(projectAgg, zitadelProjectName, userID, false, false, false, domain.PrivateLabelingSettingUnspecified),
+		AddProjectCommand(projectAgg, zitadelProjectName, projectOwner, false, false, false, domain.PrivateLabelingSettingUnspecified),
 		SetIAMProject(instanceAgg, projectAgg.ID),

 		commands.AddAPIAppCommand(
@ -490,37 +511,103 @@ func setupMinimalInterfaces(commands *Commands, validations *[]preparation.Valid
 	)
 }

-func setupAdmin(commands *Commands, validations *[]preparation.Validation, machine *AddMachine, human *AddHuman, orgID, userID string, userAgg *user.Aggregate) (pat *PersonalAccessToken, machineKey *MachineKey, err error) {
-	// only a human or a machine user should be created as owner
+func setupDefaultOrg(ctx context.Context,
+	commands *Commands,
+	validations *[]preparation.Validation,
+	instanceAgg *instance.Aggregate,
+	name string,
+	machine *AddMachine,
+	human *AddHuman,
+	ids ZitadelConfig,
+) (pat *PersonalAccessToken, machineKey *MachineKey, err error) {
+	orgAgg := org.NewAggregate(ids.orgID)
+
+	*validations = append(
+		*validations,
+		AddOrgCommand(ctx, orgAgg, name),
+		commands.prepareSetDefaultOrg(instanceAgg, ids.orgID),
+	)
+
+	projectOwner, pat, machineKey, err := setupAdmins(commands, validations, instanceAgg, orgAgg, machine, human)
+	if err != nil {
+		return nil, nil, err
+	}
+	setupMinimalInterfaces(commands, validations, instanceAgg, orgAgg, projectOwner, ids)
+	return pat, machineKey, nil
+}
+
+func setupAdmins(commands *Commands,
+	validations *[]preparation.Validation,
+	instanceAgg *instance.Aggregate,
+	orgAgg *org.Aggregate,
+	machine *AddMachine,
+	human *AddHuman,
+) (owner string, pat *PersonalAccessToken, machineKey *MachineKey, err error) {
+	if human == nil && machine == nil {
+		return "", nil, nil, zerrors.ThrowInvalidArgument(nil, "INSTANCE-z1yi2q2ot7", "Error.Instance.NoAdmin")
+	}
+
 	if machine != nil && machine.Machine != nil && !machine.Machine.IsZero() {
-		*validations = append(*validations,
-			AddMachineCommand(userAgg, machine.Machine),
-		)
-		if machine.Pat != nil {
-			pat = NewPersonalAccessToken(orgID, userID, machine.Pat.ExpirationDate, machine.Pat.Scopes, domain.UserTypeMachine)
-			pat.TokenID, err = commands.idGenerator.Next()
-			if err != nil {
-				return nil, nil, err
-			}
-			*validations = append(*validations, prepareAddPersonalAccessToken(pat, commands.keyAlgorithm))
+		machineUserID, err := commands.idGenerator.Next()
+		if err != nil {
+			return "", nil, nil, err
 		}
-		if machine.MachineKey != nil {
-			machineKey = NewMachineKey(orgID, userID, machine.MachineKey.ExpirationDate, machine.MachineKey.Type)
-			machineKey.KeyID, err = commands.idGenerator.Next()
-			if err != nil {
-				return nil, nil, err
-			}
-			*validations = append(*validations, prepareAddUserMachineKey(machineKey, commands.machineKeySize))
+		owner = machineUserID
+
+		pat, machineKey, err = setupMachineAdmin(commands, validations, machine, orgAgg.ID, machineUserID)
+		if err != nil {
+			return "", nil, nil, err
 		}
-	} else if human != nil {
-		human.ID = userID
+
+		setupAdminMembers(commands, validations, instanceAgg, orgAgg, machineUserID)
+	}
+	if human != nil {
+		humanUserID, err := commands.idGenerator.Next()
+		if err != nil {
+			return "", nil, nil, err
+		}
+		owner = humanUserID
+		human.ID = humanUserID
+
 		*validations = append(*validations,
-			commands.AddHumanCommand(human, orgID, commands.userPasswordHasher, commands.userEncryption, true),
+			commands.AddHumanCommand(human, orgAgg.ID, commands.userPasswordHasher, commands.userEncryption, true),
 		)
+
+		setupAdminMembers(commands, validations, instanceAgg, orgAgg, humanUserID)
+	}
+	return owner, pat, machineKey, nil
+}
+
+func setupMachineAdmin(commands *Commands, validations *[]preparation.Validation, machine *AddMachine, orgID, userID string) (pat *PersonalAccessToken, machineKey *MachineKey, err error) {
+	*validations = append(*validations,
+		AddMachineCommand(user.NewAggregate(userID, orgID), machine.Machine),
+	)
+	if machine.Pat != nil {
+		pat = NewPersonalAccessToken(orgID, userID, machine.Pat.ExpirationDate, machine.Pat.Scopes, domain.UserTypeMachine)
+		pat.TokenID, err = commands.idGenerator.Next()
+		if err != nil {
+			return nil, nil, err
+		}
+		*validations = append(*validations, prepareAddPersonalAccessToken(pat, commands.keyAlgorithm))
+	}
+	if machine.MachineKey != nil {
+		machineKey = NewMachineKey(orgID, userID, machine.MachineKey.ExpirationDate, machine.MachineKey.Type)
+		machineKey.KeyID, err = commands.idGenerator.Next()
+		if err != nil {
+			return nil, nil, err
+		}
+		*validations = append(*validations, prepareAddUserMachineKey(machineKey, commands.machineKeySize))
 	}
 	return pat, machineKey, nil
 }

+func setupAdminMembers(commands *Commands, validations *[]preparation.Validation, instanceAgg *instance.Aggregate, orgAgg *org.Aggregate, userID string) {
+	*validations = append(*validations,
+		commands.AddOrgMemberCommand(orgAgg, userID, domain.RoleOrgOwner),
+		commands.AddInstanceMemberCommand(instanceAgg, userID, domain.RoleIAMOwner),
+	)
+}
+
 func setupMessageTexts(validations *[]preparation.Validation, setupMessageTexts []*domain.CustomMessageText, instanceAgg *instance.Aggregate) {
 	for _, msg := range setupMessageTexts {
 		*validations = append(*validations, prepareSetInstanceCustomMessageTexts(instanceAgg, msg))
--- a/internal/command/instance_domain.go
+++ b/internal/command/instance_domain.go
@ -74,7 +74,7 @@ func (c *Commands) RemoveInstanceDomain(ctx context.Context, instanceDomain stri
 }

 func (c *Commands) addGeneratedInstanceDomain(ctx context.Context, a *instance.Aggregate, instanceName string) ([]preparation.Validation, error) {
-	domain, err := domain.NewGeneratedInstanceDomain(instanceName, authz.GetInstance(ctx).RequestedDomain())
+	domain, err := c.GenerateDomain(instanceName, authz.GetInstance(ctx).RequestedDomain())
 	if err != nil {
 		return nil, err
 	}
--- a/internal/command/instance_policy_label.go
+++ b/internal/command/instance_policy_label.go
@ -12,38 +12,6 @@ import (
 	"github.com/zitadel/zitadel/internal/zerrors"
 )

-func (c *Commands) AddDefaultLabelPolicy(
-	ctx context.Context,
-	primaryColor, backgroundColor, warnColor, fontColor, primaryColorDark, backgroundColorDark, warnColorDark, fontColorDark string,
-	hideLoginNameSuffix, errorMsgPopup, disableWatermark bool, themeMode domain.LabelPolicyThemeMode,
-) (*domain.ObjectDetails, error) {
-	instanceAgg := instance.NewAggregate(authz.GetInstance(ctx).InstanceID())
-	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter,
-		prepareAddDefaultLabelPolicy(
-			instanceAgg,
-			primaryColor,
-			backgroundColor,
-			warnColor,
-			fontColor,
-			primaryColorDark,
-			backgroundColorDark,
-			warnColorDark,
-			fontColorDark,
-			hideLoginNameSuffix,
-			errorMsgPopup,
-			disableWatermark,
-			themeMode,
-		))
-	if err != nil {
-		return nil, err
-	}
-	pushedEvents, err := c.eventstore.Push(ctx, cmds...)
-	if err != nil {
-		return nil, err
-	}
-	return pushedEventsToObjectDetails(pushedEvents), nil
-}
-
 func (c *Commands) ChangeDefaultLabelPolicy(ctx context.Context, policy *domain.LabelPolicy) (*domain.LabelPolicy, error) {
 	if err := policy.IsValid(); err != nil {
 		return nil, err
@ -373,6 +341,8 @@ func (c *Commands) getDefaultLabelPolicy(ctx context.Context) (*domain.LabelPoli
 	return policy, nil
 }

+// prepareAddDefaultLabelPolicy adds a default label policy, if none exists prior, and activates it directly
+// this functions is only used on instance setup so the policy can be activated directly
 func prepareAddDefaultLabelPolicy(
 	a *instance.Aggregate,
 	primaryColor,
@ -417,6 +387,7 @@ func prepareAddDefaultLabelPolicy(
 					disableWatermark,
 					themeMode,
 				),
+				instance.NewLabelPolicyActivatedEvent(ctx, &a.Aggregate),
 			}, nil
 		}, nil
 	}
--- a/internal/command/instance_policy_label_test.go
+++ b/internal/command/instance_policy_label_test.go
@ -19,160 +19,6 @@ import (
 	"github.com/zitadel/zitadel/internal/zerrors"
 )

-func TestCommandSide_AddDefaultLabelPolicy(t *testing.T) {
-	type fields struct {
-		eventstore *eventstore.Eventstore
-	}
-	type args struct {
-		ctx                 context.Context
-		primaryColor        string
-		backgroundColor     string
-		warnColor           string
-		fontColor           string
-		primaryColorDark    string
-		backgroundColorDark string
-		warnColorDark       string
-		fontColorDark       string
-		hideLoginNameSuffix bool
-		errorMsgPopup       bool
-		disableWatermark    bool
-		themeMode           domain.LabelPolicyThemeMode
-	}
-	type res struct {
-		want *domain.ObjectDetails
-		err  func(error) bool
-	}
-	tests := []struct {
-		name   string
-		fields fields
-		args   args
-		res    res
-	}{
-		{
-			name: "labelpolicy already existing, already exists error",
-			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-					expectFilter(
-						eventFromEventPusher(
-							instance.NewLabelPolicyAddedEvent(context.Background(),
-								&instance.NewAggregate("INSTANCE").Aggregate,
-								"#ffffff",
-								"#ffffff",
-								"#ffffff",
-								"#ffffff",
-								"#ffffff",
-								"#ffffff",
-								"#ffffff",
-								"#ffffff",
-								true,
-								true,
-								true,
-								domain.LabelPolicyThemeAuto,
-							),
-						),
-					),
-				),
-			},
-			args: args{
-				ctx:                 context.Background(),
-				primaryColor:        "#ffffff",
-				backgroundColor:     "#ffffff",
-				warnColor:           "#ffffff",
-				fontColor:           "#ffffff",
-				primaryColorDark:    "#ffffff",
-				backgroundColorDark: "#ffffff",
-				warnColorDark:       "#ffffff",
-				fontColorDark:       "#ffffff",
-				hideLoginNameSuffix: true,
-				errorMsgPopup:       true,
-				disableWatermark:    true,
-				themeMode:           domain.LabelPolicyThemeAuto,
-			},
-			res: res{
-				err: zerrors.IsErrorAlreadyExists,
-			},
-		},
-		{
-			name: "add policy,ok",
-			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-					expectFilter(),
-					expectPush(
-						instance.NewLabelPolicyAddedEvent(context.Background(),
-							&instance.NewAggregate("INSTANCE").Aggregate,
-							"#ffffff",
-							"#ffffff",
-							"#ffffff",
-							"#ffffff",
-							"#ffffff",
-							"#ffffff",
-							"#ffffff",
-							"#ffffff",
-							true,
-							true,
-							true,
-							domain.LabelPolicyThemeDark,
-						),
-					),
-				),
-			},
-			args: args{
-				ctx:                 authz.WithInstanceID(context.Background(), "INSTANCE"),
-				primaryColor:        "#ffffff",
-				backgroundColor:     "#ffffff",
-				warnColor:           "#ffffff",
-				fontColor:           "#ffffff",
-				primaryColorDark:    "#ffffff",
-				backgroundColorDark: "#ffffff",
-				warnColorDark:       "#ffffff",
-				fontColorDark:       "#ffffff",
-				hideLoginNameSuffix: true,
-				errorMsgPopup:       true,
-				disableWatermark:    true,
-				themeMode:           domain.LabelPolicyThemeDark,
-			},
-			res: res{
-				want: &domain.ObjectDetails{
-					ResourceOwner: "INSTANCE",
-				},
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			r := &Commands{
-				eventstore: tt.fields.eventstore,
-			}
-			got, err := r.AddDefaultLabelPolicy(
-				tt.args.ctx,
-				tt.args.primaryColor,
-				tt.args.backgroundColor,
-				tt.args.warnColor,
-				tt.args.fontColor,
-				tt.args.primaryColorDark,
-				tt.args.backgroundColorDark,
-				tt.args.warnColorDark,
-				tt.args.fontColorDark,
-				tt.args.hideLoginNameSuffix,
-				tt.args.errorMsgPopup,
-				tt.args.disableWatermark,
-				tt.args.themeMode,
-			)
-			if tt.res.err == nil {
-				assert.NoError(t, err)
-			}
-			if tt.res.err != nil && !tt.res.err(err) {
-				t.Errorf("got wrong err: %v ", err)
-			}
-			if tt.res.err == nil {
-				assert.Equal(t, tt.res.want, got)
-			}
-		})
-	}
-}
-
 func TestCommandSide_ChangeDefaultLabelPolicy(t *testing.T) {
 	type fields struct {
 		eventstore *eventstore.Eventstore
--- a/internal/command/instance_test.go
+++ b/internal/command/instance_test.go
--- a/internal/command/org.go
+++ b/internal/command/org.go
@ -63,7 +63,7 @@ type CreatedOrgAdmin struct {
 }

 func (c *Commands) setUpOrgWithIDs(ctx context.Context, o *OrgSetup, orgID string, allowInitialMail bool, userIDs ...string) (_ *CreatedOrg, err error) {
-	cmds := c.newOrgSetupCommands(ctx, orgID, o, userIDs)
+	cmds := c.newOrgSetupCommands(ctx, orgID, o)
 	for _, admin := range o.Admins {
 		if err = cmds.setupOrgAdmin(admin, allowInitialMail); err != nil {
 			return nil, err
@ -76,10 +76,10 @@ func (c *Commands) setUpOrgWithIDs(ctx context.Context, o *OrgSetup, orgID strin
 	return cmds.push(ctx)
 }

-func (c *Commands) newOrgSetupCommands(ctx context.Context, orgID string, orgSetup *OrgSetup, userIDs []string) *orgSetupCommands {
+func (c *Commands) newOrgSetupCommands(ctx context.Context, orgID string, orgSetup *OrgSetup) *orgSetupCommands {
 	orgAgg := org.NewAggregate(orgID)
 	validations := []preparation.Validation{
-		AddOrgCommand(ctx, orgAgg, orgSetup.Name, userIDs...),
+		AddOrgCommand(ctx, orgAgg, orgSetup.Name),
 	}
 	return &orgSetupCommands{
 		validations: validations,
@ -233,7 +233,7 @@ func (c *Commands) SetUpOrg(ctx context.Context, o *OrgSetup, allowInitialMail b

 // AddOrgCommand defines the commands to create a new org,
 // this includes the verified default domain
-func AddOrgCommand(ctx context.Context, a *org.Aggregate, name string, userIDs ...string) preparation.Validation {
+func AddOrgCommand(ctx context.Context, a *org.Aggregate, name string) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		if name = strings.TrimSpace(name); name == "" {
 			return nil, zerrors.ThrowInvalidArgument(nil, "ORG-mruNY", "Errors.Invalid.Argument")