feat: remove org (#4148)

* feat(command): remove org

* refactor: imports, unused code, error handling

* reduce org removed in action

* add org deletion to projections

* add org removal to projections

* add org removal to projections

* org removed projection

* lint import

* projections

* fix: table names in tests

* fix: table names in tests

* logging

* add org state

* fix(domain): add Owner removed to object details

* feat(ListQuery): add with owner removed

* fix(org-delete): add bool to functions to select with owner removed

* fix(org-delete): add bools to user grants with events to determine if dependencies lost owner

* fix(org-delete): add unit tests for owner removed and org removed events

* fix(org-delete): add handling of org remove for grants and members

* fix(org-delete): correction of unit tests for owner removed

* fix(org-delete): update projections, unit tests and get functions

* fix(org-delete): add change date to authnkeys and owner removed to org metadata

* fix(org-delete): include owner removed for login names

* fix(org-delete): some column fixes in projections and build for queries with owner removed

* indexes

* fix(org-delete): include review changes

* fix(org-delete): change user projection name after merge

* fix(org-delete): include review changes for project grant where no project owner is necessary

* fix(org-delete): include auth and adminapi tables with owner removed information

* fix(org-delete): cleanup username and orgdomain uniqueconstraints when org is removed

* fix(org-delete): add permissions for org.remove

* remove unnecessary unique constraints

* fix column order in primary keys

* fix(org-delete): include review changes

* fix(org-delete): add owner removed indexes and chang setup step to create tables

* fix(org-delete): move PK order of instance_id and change added user_grant from review

* fix(org-delete): no params for prepareUserQuery

* change to step 6

* merge main

* fix(org-delete): OldUserName rename to private

* fix linting

* cleanup

* fix: remove org test

* create prerelease

* chore: delete org-delete as prerelease

Co-authored-by: Stefan Benz <stefan@caos.ch>
Co-authored-by: Livio Spring <livio.a@gmail.com>
Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>

internal/command/user.go

@@ -12,7 +12,7 @@ import (
 	"github.com/zitadel/zitadel/internal/command/preparation"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
-	caos_errs "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
 	"github.com/zitadel/zitadel/internal/repository/user"
@@ -22,7 +22,7 @@ import (
 func (c *Commands) ChangeUsername(ctx context.Context, orgID, userID, userName string) (*domain.ObjectDetails, error) {
 	userName = strings.TrimSpace(userName)
 	if orgID == "" || userID == "" || userName == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-2N9fs", "Errors.IDMissing")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-2N9fs", "Errors.IDMissing")
 	}
 
 	existingUser, err := c.userWriteModelByID(ctx, userID, orgID)
@@ -31,16 +31,16 @@ func (c *Commands) ChangeUsername(ctx context.Context, orgID, userID, userName s
 	}
 
 	if !isUserStateExists(existingUser.UserState) {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-5N9ds", "Errors.User.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-5N9ds", "Errors.User.NotFound")
 	}
 
 	if existingUser.UserName == userName {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-6m9gs", "Errors.User.UsernameNotChanged")
+		return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-6m9gs", "Errors.User.UsernameNotChanged")
 	}
 
 	domainPolicy, err := c.getOrgDomainPolicy(ctx, orgID)
 	if err != nil {
-		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-38fnu", "Errors.Org.DomainPolicy.NotExisting")
+		return nil, errors.ThrowPreconditionFailed(err, "COMMAND-38fnu", "Errors.Org.DomainPolicy.NotExisting")
 	}
 
 	if err := CheckDomainPolicyForUserName(userName, domainPolicy); err != nil {
@@ -62,7 +62,7 @@ func (c *Commands) ChangeUsername(ctx context.Context, orgID, userID, userName s
 
 func (c *Commands) DeactivateUser(ctx context.Context, userID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-m0gDf", "Errors.User.UserIDMissing")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-m0gDf", "Errors.User.UserIDMissing")
 	}
 
 	existingUser, err := c.userWriteModelByID(ctx, userID, resourceOwner)
@@ -70,13 +70,13 @@ func (c *Commands) DeactivateUser(ctx context.Context, userID, resourceOwner str
 		return nil, err
 	}
 	if !isUserStateExists(existingUser.UserState) {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-3M9ds", "Errors.User.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-3M9ds", "Errors.User.NotFound")
 	}
 	if isUserStateInitial(existingUser.UserState) {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-ke0fw", "Errors.User.CantDeactivateInitial")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-ke0fw", "Errors.User.CantDeactivateInitial")
 	}
 	if isUserStateInactive(existingUser.UserState) {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-5M0sf", "Errors.User.AlreadyInactive")
+		return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-5M0sf", "Errors.User.AlreadyInactive")
 	}
 
 	pushedEvents, err := c.eventstore.Push(ctx,
@@ -93,7 +93,7 @@ func (c *Commands) DeactivateUser(ctx context.Context, userID, resourceOwner str
 
 func (c *Commands) ReactivateUser(ctx context.Context, userID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-4M9ds", "Errors.User.UserIDMissing")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-4M9ds", "Errors.User.UserIDMissing")
 	}
 
 	existingUser, err := c.userWriteModelByID(ctx, userID, resourceOwner)
@@ -101,10 +101,10 @@ func (c *Commands) ReactivateUser(ctx context.Context, userID, resourceOwner str
 		return nil, err
 	}
 	if !isUserStateExists(existingUser.UserState) {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-4M0sd", "Errors.User.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-4M0sd", "Errors.User.NotFound")
 	}
 	if !isUserStateInactive(existingUser.UserState) {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-6M0sf", "Errors.User.NotInactive")
+		return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-6M0sf", "Errors.User.NotInactive")
 	}
 
 	pushedEvents, err := c.eventstore.Push(ctx,
@@ -121,7 +121,7 @@ func (c *Commands) ReactivateUser(ctx context.Context, userID, resourceOwner str
 
 func (c *Commands) LockUser(ctx context.Context, userID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-2M0sd", "Errors.User.UserIDMissing")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-2M0sd", "Errors.User.UserIDMissing")
 	}
 
 	existingUser, err := c.userWriteModelByID(ctx, userID, resourceOwner)
@@ -129,10 +129,10 @@ func (c *Commands) LockUser(ctx context.Context, userID, resourceOwner string) (
 		return nil, err
 	}
 	if !isUserStateExists(existingUser.UserState) {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-5M9fs", "Errors.User.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-5M9fs", "Errors.User.NotFound")
 	}
 	if !hasUserState(existingUser.UserState, domain.UserStateActive, domain.UserStateInitial) {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-3NN8v", "Errors.User.ShouldBeActiveOrInitial")
+		return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-3NN8v", "Errors.User.ShouldBeActiveOrInitial")
 	}
 
 	pushedEvents, err := c.eventstore.Push(ctx,
@@ -149,7 +149,7 @@ func (c *Commands) LockUser(ctx context.Context, userID, resourceOwner string) (
 
 func (c *Commands) UnlockUser(ctx context.Context, userID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-M0dse", "Errors.User.UserIDMissing")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-M0dse", "Errors.User.UserIDMissing")
 	}
 
 	existingUser, err := c.userWriteModelByID(ctx, userID, resourceOwner)
@@ -157,10 +157,10 @@ func (c *Commands) UnlockUser(ctx context.Context, userID, resourceOwner string)
 		return nil, err
 	}
 	if !isUserStateExists(existingUser.UserState) {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-M0dos", "Errors.User.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-M0dos", "Errors.User.NotFound")
 	}
 	if !hasUserState(existingUser.UserState, domain.UserStateLocked) {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M0ds", "Errors.User.NotLocked")
+		return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-4M0ds", "Errors.User.NotLocked")
 	}
 
 	pushedEvents, err := c.eventstore.Push(ctx,
@@ -177,7 +177,7 @@ func (c *Commands) UnlockUser(ctx context.Context, userID, resourceOwner string)
 
 func (c *Commands) RemoveUser(ctx context.Context, userID, resourceOwner string, cascadingUserMemberships []*CascadingMembership, cascadingGrantIDs ...string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-2M0ds", "Errors.User.UserIDMissing")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-2M0ds", "Errors.User.UserIDMissing")
 	}
 
 	existingUser, err := c.userWriteModelByID(ctx, userID, resourceOwner)
@@ -185,12 +185,12 @@ func (c *Commands) RemoveUser(ctx context.Context, userID, resourceOwner string,
 		return nil, err
 	}
 	if !isUserStateExists(existingUser.UserState) {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-m9od", "Errors.User.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-m9od", "Errors.User.NotFound")
 	}
 
 	domainPolicy, err := c.getOrgDomainPolicy(ctx, existingUser.ResourceOwner)
 	if err != nil {
-		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-3M9fs", "Errors.Org.DomainPolicy.NotExisting")
+		return nil, errors.ThrowPreconditionFailed(err, "COMMAND-3M9fs", "Errors.Org.DomainPolicy.NotExisting")
 	}
 	var events []eventstore.Command
 	userAgg := UserAggregateFromWriteModel(&existingUser.WriteModel)
@@ -226,7 +226,7 @@ func (c *Commands) RemoveUser(ctx context.Context, userID, resourceOwner string,
 
 func (c *Commands) AddUserToken(ctx context.Context, orgID, agentID, clientID, userID string, audience, scopes []string, lifetime time.Duration) (*domain.Token, error) {
 	if userID == "" { //do not check for empty orgID (JWT Profile requests won't provide it, so service user requests fail)
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-Dbge4", "Errors.IDMissing")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-Dbge4", "Errors.IDMissing")
 	}
 	userWriteModel := NewUserWriteModel(userID, orgID)
 	event, accessToken, err := c.addUserToken(ctx, userWriteModel, agentID, clientID, "", audience, scopes, lifetime)
@@ -262,7 +262,7 @@ func (c *Commands) addUserToken(ctx context.Context, userWriteModel *UserWriteMo
 		return nil, nil, err
 	}
 	if !isUserStateExists(userWriteModel.UserState) {
-		return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-1d6Gg", "Errors.User.NotFound")
+		return nil, nil, errors.ThrowNotFound(nil, "COMMAND-1d6Gg", "Errors.User.NotFound")
 	}
 
 	audience = domain.AddAudScopeToAudience(ctx, audience, scopes)
@@ -297,7 +297,7 @@ func (c *Commands) addUserToken(ctx context.Context, userWriteModel *UserWriteMo
 
 func (c *Commands) removeAccessToken(ctx context.Context, userID, orgID, tokenID string) (*user.UserTokenRemovedEvent, *UserAccessTokenWriteModel, error) {
 	if userID == "" || orgID == "" || tokenID == "" {
-		return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-Dng42", "Errors.IDMissing")
+		return nil, nil, errors.ThrowInvalidArgument(nil, "COMMAND-Dng42", "Errors.IDMissing")
 	}
 	refreshTokenWriteModel := NewUserAccessTokenWriteModel(userID, orgID, tokenID)
 	err := c.eventstore.FilterToQueryReducer(ctx, refreshTokenWriteModel)
@@ -305,7 +305,7 @@ func (c *Commands) removeAccessToken(ctx context.Context, userID, orgID, tokenID
 		return nil, nil, err
 	}
 	if refreshTokenWriteModel.UserState != domain.UserStateActive {
-		return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-BF4hd", "Errors.User.AccessToken.NotFound")
+		return nil, nil, errors.ThrowNotFound(nil, "COMMAND-BF4hd", "Errors.User.AccessToken.NotFound")
 	}
 	userAgg := UserAggregateFromWriteModel(&refreshTokenWriteModel.WriteModel)
 	return user.NewUserTokenRemovedEvent(ctx, userAgg, tokenID), refreshTokenWriteModel, nil
@@ -317,7 +317,7 @@ func (c *Commands) userDomainClaimed(ctx context.Context, userID string) (events
 		return nil, nil, err
 	}
 	if existingUser.UserState == domain.UserStateUnspecified || existingUser.UserState == domain.UserStateDeleted {
-		return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-ii9K0", "Errors.User.NotFound")
+		return nil, nil, errors.ThrowNotFound(nil, "COMMAND-ii9K0", "Errors.User.NotFound")
 	}
 	changedUserGrant := NewUserWriteModel(userID, existingUser.ResourceOwner)
 	userAgg := UserAggregateFromWriteModel(&changedUserGrant.WriteModel)
@@ -347,7 +347,7 @@ func (c *Commands) prepareUserDomainClaimed(ctx context.Context, filter preparat
 		return nil, err
 	}
 	if !userWriteModel.UserState.Exists() {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-ii9K0", "Errors.User.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-ii9K0", "Errors.User.NotFound")
 	}
 	domainPolicy, err := domainPolicyWriteModel(ctx, filter)
 	if err != nil {
@@ -370,14 +370,14 @@ func (c *Commands) prepareUserDomainClaimed(ctx context.Context, filter preparat
 
 func (c *Commands) UserDomainClaimedSent(ctx context.Context, orgID, userID string) (err error) {
 	if userID == "" {
-		return caos_errs.ThrowInvalidArgument(nil, "COMMAND-5m0fs", "Errors.IDMissing")
+		return errors.ThrowInvalidArgument(nil, "COMMAND-5m0fs", "Errors.IDMissing")
 	}
 	existingUser, err := c.userWriteModelByID(ctx, userID, orgID)
 	if err != nil {
 		return err
 	}
 	if !isUserStateExists(existingUser.UserState) {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-5m9gK", "Errors.User.NotFound")
+		return errors.ThrowNotFound(nil, "COMMAND-5m9gK", "Errors.User.NotFound")
 	}
 
 	_, err = c.eventstore.Push(ctx,
@@ -391,7 +391,7 @@ func (c *Commands) checkUserExists(ctx context.Context, userID, resourceOwner st
 		return err
 	}
 	if !isUserStateExists(existingUser.UserState) {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-uXHNj", "Errors.User.NotFound")
+		return errors.ThrowPreconditionFailed(nil, "COMMAND-uXHNj", "Errors.User.NotFound")
 	}
 	return nil
 }