fix: check idp existence by org id (#7667)

* fix: search idp by org

* fix unit test

* remove unused method

* test(e2e): await input enabled

* test: policy with org idp

e2e/cypress/e2e/projects/projects.cy.ts

@@ -46,7 +46,7 @@ describe('projects', () => {
     it('should add a role', () => {
       cy.get('[data-e2e="sidenav-element-roles"]').click();
       cy.get('[data-e2e="add-new-role"]').click();
-      cy.get('[formcontrolname="key"]').type(testRoleName);
+      cy.get('[formcontrolname="key"]').should('be.enabled').type(testRoleName);
       cy.get('[formcontrolname="displayName"]').type('e2eroleundertestdisplay');
       cy.get('[formcontrolname="group"]').type('e2eroleundertestgroup');
       cy.get('[data-e2e="save-button"]').click();

internal/command/instance_idp_config.go

@@ -178,17 +178,6 @@ func (c *Commands) RemoveDefaultIDPConfig(ctx context.Context, idpID string, idp
 	return writeModelToObjectDetails(&existingIDP.IDPConfigWriteModel.WriteModel), nil
 }
 
-func (c *Commands) getInstanceIDPConfigByID(ctx context.Context, idpID string) (*domain.IDPConfig, error) {
-	config, err := c.instanceIDPConfigWriteModelByID(ctx, idpID)
-	if err != nil {
-		return nil, err
-	}
-	if !config.State.Exists() {
-		return nil, zerrors.ThrowNotFound(nil, "INSTANCE-p0pFF", "Errors.IDPConfig.NotExisting")
-	}
-	return writeModelToIDPConfig(&config.IDPConfigWriteModel), nil
-}
-
 func (c *Commands) instanceIDPConfigWriteModelByID(ctx context.Context, idpID string) (policy *InstanceIDPConfigWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

internal/command/org_policy_login.go

@@ -416,7 +416,7 @@ func prepareAddLoginPolicy(a *org.Aggregate, policy *AddLoginPolicy) preparation
 				return nil, zerrors.ThrowAlreadyExists(nil, "Org-Dgfb2", "Errors.Org.LoginPolicy.AlreadyExists")
 			}
 			for _, idp := range policy.IDPProviders {
-				exists, err := idpExists(ctx, filter, idp)
+				exists, err := ExistsIDP(ctx, filter, idp.ConfigID, authz.GetCtxData(ctx).OrgID)
 				if !exists || err != nil {
 					return nil, zerrors.ThrowPreconditionFailed(err, "Org-FEd32", "Errors.IDPConfig.NotExisting")
 				}
@@ -493,10 +493,3 @@ func prepareChangeLoginPolicy(a *org.Aggregate, policy *ChangeLoginPolicy) prepa
 		}, nil
 	}
 }
-
-func idpExists(ctx context.Context, filter preparation.FilterToQueryReducer, idp *AddLoginPolicyIDP) (bool, error) {
-	if idp.Type == domain.IdentityProviderTypeSystem {
-		return exists(ctx, filter, NewInstanceIDPConfigWriteModel(ctx, idp.ConfigID))
-	}
-	return exists(ctx, filter, NewOrgIDPConfigWriteModel(idp.ConfigID, authz.GetCtxData(ctx).ResourceOwner))
-}

internal/command/org_policy_login_test.go

@@ -266,8 +266,9 @@ func TestCommandSide_AddLoginPolicy(t *testing.T) {
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
-					expectFilter(),
-					expectFilter(),
+					expectFilter(), // reduce login policy
+					expectFilter(), // check if is org idp
+					expectFilter(), // check if is instance idp
 				),
 			},
 			args: args{
@@ -304,11 +305,12 @@ func TestCommandSide_AddLoginPolicy(t *testing.T) {
 			},
 		},
 		{
-			name: "add policy idp, ok",
+			name: "add policy instance idp, ok",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(),
+					expectFilter(),
 					expectFilter(
 						eventFromEventPusher(
 							instance.NewIDPConfigAddedEvent(context.Background(),
@@ -385,6 +387,88 @@ func TestCommandSide_AddLoginPolicy(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "add policy org idp, ok",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewIDPConfigAddedEvent(context.Background(),
+								&org.NewAggregate("ORG").Aggregate,
+								"config1",
+								"name1",
+								domain.IDPConfigTypeOIDC,
+								domain.IDPConfigStylingTypeGoogle,
+								true,
+							),
+						),
+					),
+					expectPush(
+						org.NewLoginPolicyAddedEvent(context.Background(),
+							&org.NewAggregate("org1").Aggregate,
+							true,
+							true,
+							true,
+							true,
+							true,
+							true,
+							true,
+							true,
+							true,
+							true,
+							domain.PasswordlessTypeAllowed,
+							"https://example.com/redirect",
+							time.Hour*1,
+							time.Hour*2,
+							time.Hour*3,
+							time.Hour*4,
+							time.Hour*5,
+						),
+						org.NewIdentityProviderAddedEvent(context.Background(),
+							&org.NewAggregate("org1").Aggregate,
+							"config1",
+							domain.IdentityProviderTypeOrg,
+						),
+					),
+				),
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+				policy: &AddLoginPolicy{
+					AllowRegister:              true,
+					AllowUsernamePassword:      true,
+					AllowExternalIDP:           true,
+					ForceMFA:                   true,
+					ForceMFALocalOnly:          true,
+					HidePasswordReset:          true,
+					IgnoreUnknownUsernames:     true,
+					AllowDomainDiscovery:       true,
+					DisableLoginWithEmail:      true,
+					DisableLoginWithPhone:      true,
+					PasswordlessType:           domain.PasswordlessTypeAllowed,
+					DefaultRedirectURI:         "https://example.com/redirect",
+					PasswordCheckLifetime:      time.Hour * 1,
+					ExternalLoginCheckLifetime: time.Hour * 2,
+					MFAInitSkipLifetime:        time.Hour * 3,
+					SecondFactorCheckLifetime:  time.Hour * 4,
+					MultiFactorCheckLifetime:   time.Hour * 5,
+					IDPProviders: []*AddLoginPolicyIDP{
+						{
+							Type:     domain.IdentityProviderTypeOrg,
+							ConfigID: "config1",
+						},
+					},
+				},
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {