feat: remove org (#4148)

* feat(command): remove org

* refactor: imports, unused code, error handling

* reduce org removed in action

* add org deletion to projections

* add org removal to projections

* add org removal to projections

* org removed projection

* lint import

* projections

* fix: table names in tests

* fix: table names in tests

* logging

* add org state

* fix(domain): add Owner removed to object details

* feat(ListQuery): add with owner removed

* fix(org-delete): add bool to functions to select with owner removed

* fix(org-delete): add bools to user grants with events to determine if dependencies lost owner

* fix(org-delete): add unit tests for owner removed and org removed events

* fix(org-delete): add handling of org remove for grants and members

* fix(org-delete): correction of unit tests for owner removed

* fix(org-delete): update projections, unit tests and get functions

* fix(org-delete): add change date to authnkeys and owner removed to org metadata

* fix(org-delete): include owner removed for login names

* fix(org-delete): some column fixes in projections and build for queries with owner removed

* indexes

* fix(org-delete): include review changes

* fix(org-delete): change user projection name after merge

* fix(org-delete): include review changes for project grant where no project owner is necessary

* fix(org-delete): include auth and adminapi tables with owner removed information

* fix(org-delete): cleanup username and orgdomain uniqueconstraints when org is removed

* fix(org-delete): add permissions for org.remove

* remove unnecessary unique constraints

* fix column order in primary keys

* fix(org-delete): include review changes

* fix(org-delete): add owner removed indexes and chang setup step to create tables

* fix(org-delete): move PK order of instance_id and change added user_grant from review

* fix(org-delete): no params for prepareUserQuery

* change to step 6

* merge main

* fix(org-delete): OldUserName rename to private

* fix linting

* cleanup

* fix: remove org test

* create prerelease

* chore: delete org-delete as prerelease

Co-authored-by: Stefan Benz <stefan@caos.ch>
Co-authored-by: Livio Spring <livio.a@gmail.com>
Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>

internal/auth/repository/eventsourcing/handler/idp_config.go

@@ -17,7 +17,7 @@ import (
 )
 
 const (
-	idpConfigTable = "auth.idp_configs"
+	idpConfigTable = "auth.idp_configs2"
 )
 
 type IDPConfig struct {
@@ -121,6 +121,8 @@ func (i *IDPConfig) processIdpConfig(providerType iam_model.IDPProviderType, eve
 		return i.view.DeleteIDPConfig(idp.IDPConfigID, event)
 	case instance.InstanceRemovedEventType:
 		return i.view.DeleteInstanceIDPs(event)
+	case org.OrgRemovedEventType:
+		return i.view.UpdateOrgOwnerRemovedIDPs(event)
 	default:
 		return i.view.ProcessedIDPConfigSequence(event)
 	}

internal/auth/repository/eventsourcing/handler/idp_providers.go

@@ -21,7 +21,7 @@ import (
 )
 
 const (
-	idpProviderTable = "auth.idp_providers"
+	idpProviderTable = "auth.idp_providers2"
 )
 
 type IDPProvider struct {
@@ -140,7 +140,9 @@ func (i *IDPProvider) processIdpProvider(event *models.Event) (err error) {
 	case org.LoginPolicyRemovedEventType:
 		return i.view.DeleteIDPProvidersByAggregateID(event.AggregateID, event.InstanceID, event)
 	case instance.InstanceRemovedEventType:
-		return i.view.DeleteInstanceIDPs(event)
+		return i.view.DeleteInstanceIDPProviders(event)
+	case org.OrgRemovedEventType:
+		return i.view.UpdateOrgOwnerRemovedIDPProviders(event)
 	default:
 		return i.view.ProcessedIDPProviderSequence(event)
 	}
@@ -194,9 +196,9 @@ func (i *IDPProvider) OnSuccess(instanceIDs []string) error {
 }
 
 func (i *IDPProvider) getOrgIDPConfig(instanceID, aggregateID, idpConfigID string) (*query2.IDP, error) {
-	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, aggregateID)
+	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, aggregateID, false)
 }
 
 func (i *IDPProvider) getDefaultIDPConfig(instanceID, idpConfigID string) (*query2.IDP, error) {
-	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, instanceID)
+	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, instanceID, false)
 }

internal/auth/repository/eventsourcing/handler/org_project_mapping.go

@@ -12,11 +12,12 @@ import (
 	"github.com/zitadel/zitadel/internal/eventstore/v1/spooler"
 	view_model "github.com/zitadel/zitadel/internal/project/repository/view/model"
 	"github.com/zitadel/zitadel/internal/repository/instance"
+	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/project"
 )
 
 const (
-	orgProjectMappingTable = "auth.org_project_mapping"
+	orgProjectMappingTable = "auth.org_project_mapping2"
 )
 
 type OrgProjectMapping struct {
@@ -108,6 +109,8 @@ func (p *OrgProjectMapping) Reduce(event *es_models.Event) (err error) {
 		}
 	case instance.InstanceRemovedEventType:
 		return p.view.DeleteInstanceOrgProjectMappings(event)
+	case org.OrgRemovedEventType:
+		return p.view.UpdateOwnerRemovedOrgProjectMappings(event)
 	default:
 		return p.view.ProcessedOrgProjectMappingSequence(event)
 	}

internal/auth/repository/eventsourcing/handler/refresh_token.go

@@ -13,6 +13,7 @@ import (
 	"github.com/zitadel/zitadel/internal/eventstore/v1/query"
 	"github.com/zitadel/zitadel/internal/eventstore/v1/spooler"
 	"github.com/zitadel/zitadel/internal/repository/instance"
+	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/project"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	view_model "github.com/zitadel/zitadel/internal/user/repository/view/model"
@@ -114,6 +115,8 @@ func (t *RefreshToken) Reduce(event *es_models.Event) (err error) {
 		return t.view.DeleteUserRefreshTokens(event.AggregateID, event.InstanceID, event)
 	case instance.InstanceRemovedEventType:
 		return t.view.DeleteInstanceRefreshTokens(event)
+	case org.OrgRemovedEventType:
+		return t.view.DeleteOrgRefreshTokens(event)
 	default:
 		return t.view.ProcessedRefreshTokenSequence(event)
 	}

internal/auth/repository/eventsourcing/handler/token.go

@@ -17,6 +17,7 @@ import (
 	project_es_model "github.com/zitadel/zitadel/internal/project/repository/eventsourcing/model"
 	proj_view "github.com/zitadel/zitadel/internal/project/repository/view"
 	"github.com/zitadel/zitadel/internal/repository/instance"
+	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/project"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	user_repo "github.com/zitadel/zitadel/internal/repository/user"
@@ -151,6 +152,11 @@ func (t *Token) Reduce(event *es_models.Event) (err error) {
 		return t.view.DeleteApplicationTokens(event, applicationsIDs...)
 	case instance.InstanceRemovedEventType:
 		return t.view.DeleteInstanceTokens(event)
+	case org.OrgRemovedEventType:
+		// deletes all tokens including PATs, which is expected for now
+		// if there is an undo of the org deletion in the future,
+		// we will need to have a look on how to handle the deleted PATs
+		return t.view.DeleteOrgTokens(event)
 	default:
 		return t.view.ProcessedTokenSequence(event)
 	}

internal/auth/repository/eventsourcing/handler/user.go

@@ -24,7 +24,7 @@ import (
 )
 
 const (
-	userTable = "auth.users"
+	userTable = "auth.users2"
 )
 
 type User struct {
@@ -228,6 +228,8 @@ func (u *User) ProcessOrg(event *es_models.Event) (err error) {
 		return u.fillLoginNamesOnOrgUsers(event)
 	case org.OrgDomainPrimarySetEventType:
 		return u.fillPreferredLoginNamesOnOrgUsers(event)
+	case org.OrgRemovedEventType:
+		return u.view.UpdateOrgOwnerRemovedUsers(event)
 	default:
 		return u.view.ProcessedUserSequence(event)
 	}

internal/auth/repository/eventsourcing/handler/user_external_idps.go

@@ -22,7 +22,7 @@ import (
 )
 
 const (
-	externalIDPTable = "auth.user_external_idps"
+	externalIDPTable = "auth.user_external_idps2"
 )
 
 type ExternalIDP struct {
@@ -153,6 +153,8 @@ func (i *ExternalIDP) processIdpConfig(event *es_models.Event) (err error) {
 		return i.view.PutExternalIDPs(event, exterinalIDPs...)
 	case instance.InstanceRemovedEventType:
 		return i.view.DeleteInstanceExternalIDPs(event)
+	case org.OrgRemovedEventType:
+		return i.view.UpdateOrgOwnerRemovedExternalIDPs(event)
 	default:
 		return i.view.ProcessedExternalIDPSequence(event)
 	}
@@ -184,9 +186,9 @@ func (i *ExternalIDP) OnSuccess(instanceIDs []string) error {
 }
 
 func (i *ExternalIDP) getOrgIDPConfig(instanceID, aggregateID, idpConfigID string) (*query2.IDP, error) {
-	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, aggregateID)
+	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, aggregateID, false)
 }
 
 func (i *ExternalIDP) getDefaultIDPConfig(instanceID, idpConfigID string) (*query2.IDP, error) {
-	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, instanceID)
+	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, instanceID, false)
 }

internal/auth/repository/eventsourcing/handler/user_session.go

@@ -156,6 +156,8 @@ func (u *UserSession) Reduce(event *models.Event) (err error) {
 		return u.view.DeleteUserSessions(event.AggregateID, event.InstanceID, event)
 	case instance.InstanceRemovedEventType:
 		return u.view.DeleteInstanceUserSessions(event)
+	case org.OrgRemovedEventType:
+		return u.view.DeleteOrgUserSessions(event)
 	default:
 		return u.view.ProcessedUserSessionSequence(event)
 	}