feat: policies on aggregates (#799)

* feat: move pw policy

* feat: default pw complexity policy

* fix: org password complexity policy

* fix: org password complexity policy

* fix: pw complexity policy with setup

* fix: age and lockout policies on aggregates

* fix: migration

* fix: org iam policy

* fix: org iam policy

* fix: org iam policy

* fix: tests

* fix: policy request

* fix: merge master

* fix(console): policies frontend (#817)

* fix policy build

* fix: age, complexity, lockout policies

* fix: ready return err of setup not done

* fix: fix remove policies in spoolers

* fix: fix remove policies in spoolers

* feat(console): policy settings for iam and org (#824)

* fix policy build

* fix: age, complexity, lockout policies

* fix pwd complexity

* policy remove action

* add imports

* fix accounts card, enable mgmt login policy

* lint

* add iam policy to admin

* toasts, i18n, show default

* routing, i18n

* reset policy, toast i18n, cleanup, routing

* policy delete permission

* lint style

* delete iam policy

* delete non project from grid list, i18n

* lint ts, style

* fix: remove instead delete

* feat(console): delete external idp from user (#835)

* dialog i18n, delete column and function

* dialog i18n

* fix rm button

* Update console/src/assets/i18n/de.json

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* Update console/src/assets/i18n/de.json

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* fix: revert env, rename policy, remove comments

* fix: lowercase sich

* fix: pr requests

* Update internal/iam/repository/eventsourcing/eventstore_test.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* fix: tests

* fix: tests

* fix(console): policies (#839)

* fix: nil pointer on get userdata (#815)

* fix: external login (#818)

* fix: external login

* fix: external login

* feat(console): delete user (#819)

* add action col to user table, i18n

* delete user from detail component

* lint

* fix(console): cleanup user detail and member components, user/me redirect, permission guards, filter, org policy guard, user table, scss cleanup (#808)

* fix: remove user.write guard for filtering

* border color

* fix user routing from member tables

* idp detail layout

* generic contact component

* fix redirect to auth user, user grant disable

* disable policy action without permission, i18n

* user-create flex fix, contact ng-content

* rm unused styles

* sidenav divider

* lint

* chore(deps-dev): bump @angular/cli from 10.1.3 to 10.1.4 in /console (#806)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps-dev): bump @angular/cli from 10.1.3 to 10.1.4 in /console

Bumps [@angular/cli](https://github.com/angular/angular-cli) from 10.1.3 to 10.1.4.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v10.1.3...v10.1.4)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/language-service from 10.1.3 to 10.1.4 in /console (#805)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps-dev): bump @angular/language-service in /console

Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 10.1.3 to 10.1.4.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/10.1.4/packages/language-service)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump codelyzer from 6.0.0 to 6.0.1 in /console (#804)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps-dev): bump codelyzer from 6.0.0 to 6.0.1 in /console

Bumps [codelyzer](https://github.com/mgechev/codelyzer) from 6.0.0 to 6.0.1.
- [Release notes](https://github.com/mgechev/codelyzer/releases)
- [Changelog](https://github.com/mgechev/codelyzer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mgechev/codelyzer/commits/6.0.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular-devkit/build-angular from 0.1000.8 to 0.1001.4 in /console (#803)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps-dev): bump @angular-devkit/build-angular in /console

Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1000.8 to 0.1001.4.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>

* chore(deps): bump uuid from 8.3.0 to 8.3.1 in /console (#802)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps): bump uuid from 8.3.0 to 8.3.1 in /console

Bumps [uuid](https://github.com/uuidjs/uuid) from 8.3.0 to 8.3.1.
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/master/CHANGELOG.md)
- [Commits](https://github.com/uuidjs/uuid/compare/v8.3.0...v8.3.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* create memberstable as common component

* iam member cleanup

* iam + org m table, user table service user avatar

* toast config

* fix selection emitter

* fix project grant table width

* project grant members refactor

* theme optimizations

* member table col delete

* lint

* fix table row color

* refactor grey color

* lint scss

* org list redirect on click, fix user table undef

* refresh table after grant add

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>

* fix(console): intercept navigator.language, set browser lang as default for user without explicit setting, user table outline, member create dialog import (#820)

* i18n interceptor, set language to browser lang

* nullcheck

* rm external idp log

* fix module imports, rm user displayname from i18n

* Update console/src/assets/i18n/de.json

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* fix: delete external idps from users (#822)

* fix(console): permission regex, account switcher null check, restrict app and member create access (#821)

* fix member table disable, gerneal regexp

* fix user session card, app disable

* memberships max count

* fix policy permissions

* permission check for member add dialog

* lint

* rm accounts log

* rm id regex

* fix: handle usermemberships on project and project grant delete (#825)

* fix: go handler

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>

* fix: tests

* fix: not needed error handling

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>

internal/iam/repository/eventsourcing/model/iam.go

@@ -16,21 +16,24 @@ const (
 type Step int
 
 const (
-	Step1 = Step(model.Step1)
-	//TODO: label policy
-	// Step2     = Step(model.Step2)
+	Step1     = Step(model.Step1)
+	Step2     = Step(model.Step2)
 	StepCount = Step(model.StepCount)
 )
 
 type IAM struct {
 	es_models.ObjectRoot
-	SetUpStarted       Step         `json:"-"`
-	SetUpDone          Step         `json:"-"`
-	GlobalOrgID        string       `json:"globalOrgId,omitempty"`
-	IAMProjectID       string       `json:"iamProjectId,omitempty"`
-	Members            []*IAMMember `json:"-"`
-	IDPs               []*IDPConfig `json:"-"`
-	DefaultLoginPolicy *LoginPolicy `json:"-"`
+	SetUpStarted                    Step                      `json:"-"`
+	SetUpDone                       Step                      `json:"-"`
+	GlobalOrgID                     string                    `json:"globalOrgId,omitempty"`
+	IAMProjectID                    string                    `json:"iamProjectId,omitempty"`
+	Members                         []*IAMMember              `json:"-"`
+	IDPs                            []*IDPConfig              `json:"-"`
+	DefaultLoginPolicy              *LoginPolicy              `json:"-"`
+	DefaultOrgIAMPolicy             *OrgIAMPolicy             `json:"-"`
+	DefaultPasswordComplexityPolicy *PasswordComplexityPolicy `json:"-"`
+	DefaultPasswordAgePolicy        *PasswordAgePolicy        `json:"-"`
+	DefaultPasswordLockoutPolicy    *PasswordLockoutPolicy    `json:"-"`
 }
 
 func IAMFromModel(iam *model.IAM) *IAM {
@@ -48,6 +51,18 @@ func IAMFromModel(iam *model.IAM) *IAM {
 	if iam.DefaultLoginPolicy != nil {
 		converted.DefaultLoginPolicy = LoginPolicyFromModel(iam.DefaultLoginPolicy)
 	}
+	if iam.DefaultPasswordComplexityPolicy != nil {
+		converted.DefaultPasswordComplexityPolicy = PasswordComplexityPolicyFromModel(iam.DefaultPasswordComplexityPolicy)
+	}
+	if iam.DefaultPasswordAgePolicy != nil {
+		converted.DefaultPasswordAgePolicy = PasswordAgePolicyFromModel(iam.DefaultPasswordAgePolicy)
+	}
+	if iam.DefaultPasswordLockoutPolicy != nil {
+		converted.DefaultPasswordLockoutPolicy = PasswordLockoutPolicyFromModel(iam.DefaultPasswordLockoutPolicy)
+	}
+	if iam.DefaultOrgIAMPolicy != nil {
+		converted.DefaultOrgIAMPolicy = OrgIAMPolicyFromModel(iam.DefaultOrgIAMPolicy)
+	}
 	return converted
 }
 
@@ -66,6 +81,18 @@ func IAMToModel(iam *IAM) *model.IAM {
 	if iam.DefaultLoginPolicy != nil {
 		converted.DefaultLoginPolicy = LoginPolicyToModel(iam.DefaultLoginPolicy)
 	}
+	if iam.DefaultPasswordComplexityPolicy != nil {
+		converted.DefaultPasswordComplexityPolicy = PasswordComplexityPolicyToModel(iam.DefaultPasswordComplexityPolicy)
+	}
+	if iam.DefaultPasswordAgePolicy != nil {
+		converted.DefaultPasswordAgePolicy = PasswordAgePolicyToModel(iam.DefaultPasswordAgePolicy)
+	}
+	if iam.DefaultPasswordLockoutPolicy != nil {
+		converted.DefaultPasswordLockoutPolicy = PasswordLockoutPolicyToModel(iam.DefaultPasswordLockoutPolicy)
+	}
+	if iam.DefaultOrgIAMPolicy != nil {
+		converted.DefaultOrgIAMPolicy = OrgIAMPolicyToModel(iam.DefaultOrgIAMPolicy)
+	}
 	return converted
 }
 
@@ -134,6 +161,22 @@ func (i *IAM) AppendEvent(event *es_models.Event) (err error) {
 		return i.appendAddIDPProviderToLoginPolicyEvent(event)
 	case LoginPolicyIDPProviderRemoved:
 		return i.appendRemoveIDPProviderFromLoginPolicyEvent(event)
+	case PasswordComplexityPolicyAdded:
+		return i.appendAddPasswordComplexityPolicyEvent(event)
+	case PasswordComplexityPolicyChanged:
+		return i.appendChangePasswordComplexityPolicyEvent(event)
+	case PasswordAgePolicyAdded:
+		return i.appendAddPasswordAgePolicyEvent(event)
+	case PasswordAgePolicyChanged:
+		return i.appendChangePasswordAgePolicyEvent(event)
+	case PasswordLockoutPolicyAdded:
+		return i.appendAddPasswordLockoutPolicyEvent(event)
+	case PasswordLockoutPolicyChanged:
+		return i.appendChangePasswordLockoutPolicyEvent(event)
+	case OrgIAMPolicyAdded:
+		return i.appendAddOrgIAMPolicyEvent(event)
+	case OrgIAMPolicyChanged:
+		return i.appendChangeOrgIAMPolicyEvent(event)
 	}
 
 	return err

internal/iam/repository/eventsourcing/model/org_iam_policy.go

@@ -0,0 +1,63 @@
+package model
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+)
+
+type OrgIAMPolicy struct {
+	models.ObjectRoot
+
+	State                 int32 `json:"-"`
+	UserLoginMustBeDomain bool  `json:"userLoginMustBeDomain"`
+}
+
+func OrgIAMPolicyFromModel(policy *iam_model.OrgIAMPolicy) *OrgIAMPolicy {
+	return &OrgIAMPolicy{
+		ObjectRoot:            policy.ObjectRoot,
+		State:                 int32(policy.State),
+		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
+	}
+}
+
+func OrgIAMPolicyToModel(policy *OrgIAMPolicy) *iam_model.OrgIAMPolicy {
+	return &iam_model.OrgIAMPolicy{
+		ObjectRoot:            policy.ObjectRoot,
+		State:                 iam_model.PolicyState(policy.State),
+		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
+	}
+}
+
+func (p *OrgIAMPolicy) Changes(changed *OrgIAMPolicy) map[string]interface{} {
+	changes := make(map[string]interface{}, 1)
+
+	if p.UserLoginMustBeDomain != changed.UserLoginMustBeDomain {
+		changes["userLoginMustBeDomain"] = changed.UserLoginMustBeDomain
+	}
+	return changes
+}
+
+func (i *IAM) appendAddOrgIAMPolicyEvent(event *es_models.Event) error {
+	i.DefaultOrgIAMPolicy = new(OrgIAMPolicy)
+	err := i.DefaultOrgIAMPolicy.SetData(event)
+	if err != nil {
+		return err
+	}
+	i.DefaultOrgIAMPolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (i *IAM) appendChangeOrgIAMPolicyEvent(event *es_models.Event) error {
+	return i.DefaultOrgIAMPolicy.SetData(event)
+}
+
+func (p *OrgIAMPolicy) SetData(event *es_models.Event) error {
+	err := json.Unmarshal(event.Data, p)
+	if err != nil {
+		return errors.ThrowInternal(err, "EVENT-7JS9d", "unable to unmarshal data")
+	}
+	return nil
+}

internal/iam/repository/eventsourcing/model/org_iam_policy_test.go

@@ -0,0 +1,125 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"testing"
+)
+
+func TestOrgIAMPolicyChanges(t *testing.T) {
+	type args struct {
+		existing *OrgIAMPolicy
+		new      *OrgIAMPolicy
+	}
+	type res struct {
+		changesLen int
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "org iam policy all attributes change",
+			args: args{
+				existing: &OrgIAMPolicy{UserLoginMustBeDomain: true},
+				new:      &OrgIAMPolicy{UserLoginMustBeDomain: false},
+			},
+			res: res{
+				changesLen: 1,
+			},
+		},
+		{
+			name: "no changes",
+			args: args{
+				existing: &OrgIAMPolicy{UserLoginMustBeDomain: true},
+				new:      &OrgIAMPolicy{UserLoginMustBeDomain: true},
+			},
+			res: res{
+				changesLen: 0,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			changes := tt.args.existing.Changes(tt.args.new)
+			if len(changes) != tt.res.changesLen {
+				t.Errorf("got wrong changes len: expected: %v, actual: %v ", tt.res.changesLen, len(changes))
+			}
+		})
+	}
+}
+
+func TestAppendAddOrgIAMPolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *OrgIAMPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append add org iam policy event",
+			args: args{
+				iam:    new(IAM),
+				policy: &OrgIAMPolicy{UserLoginMustBeDomain: true},
+				event:  new(es_models.Event),
+			},
+			result: &IAM{DefaultOrgIAMPolicy: &OrgIAMPolicy{UserLoginMustBeDomain: true}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendAddOrgIAMPolicyEvent(tt.args.event)
+			if tt.result.DefaultOrgIAMPolicy.UserLoginMustBeDomain != tt.args.iam.DefaultOrgIAMPolicy.UserLoginMustBeDomain {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultOrgIAMPolicy.UserLoginMustBeDomain, tt.args.iam.DefaultOrgIAMPolicy.UserLoginMustBeDomain)
+			}
+		})
+	}
+}
+
+func TestAppendChangeOrgIAMPolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *OrgIAMPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append change org iam policy event",
+			args: args{
+				iam: &IAM{DefaultOrgIAMPolicy: &OrgIAMPolicy{
+					UserLoginMustBeDomain: true,
+				}},
+				policy: &OrgIAMPolicy{UserLoginMustBeDomain: false},
+				event:  &es_models.Event{},
+			},
+			result: &IAM{DefaultOrgIAMPolicy: &OrgIAMPolicy{
+				UserLoginMustBeDomain: false,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendChangeOrgIAMPolicyEvent(tt.args.event)
+			if tt.result.DefaultOrgIAMPolicy.UserLoginMustBeDomain != tt.args.iam.DefaultOrgIAMPolicy.UserLoginMustBeDomain {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultOrgIAMPolicy.UserLoginMustBeDomain, tt.args.iam.DefaultOrgIAMPolicy.UserLoginMustBeDomain)
+			}
+		})
+	}
+}

internal/iam/repository/eventsourcing/model/password_age_policy.go

@@ -0,0 +1,69 @@
+package model
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+)
+
+type PasswordAgePolicy struct {
+	models.ObjectRoot
+
+	State          int32  `json:"-"`
+	MaxAgeDays     uint64 `json:"maxAgeDays"`
+	ExpireWarnDays uint64 `json:"expireWarnDays"`
+}
+
+func PasswordAgePolicyFromModel(policy *iam_model.PasswordAgePolicy) *PasswordAgePolicy {
+	return &PasswordAgePolicy{
+		ObjectRoot:     policy.ObjectRoot,
+		State:          int32(policy.State),
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+	}
+}
+
+func PasswordAgePolicyToModel(policy *PasswordAgePolicy) *iam_model.PasswordAgePolicy {
+	return &iam_model.PasswordAgePolicy{
+		ObjectRoot:     policy.ObjectRoot,
+		State:          iam_model.PolicyState(policy.State),
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+	}
+}
+
+func (p *PasswordAgePolicy) Changes(changed *PasswordAgePolicy) map[string]interface{} {
+	changes := make(map[string]interface{}, 1)
+
+	if p.MaxAgeDays != changed.MaxAgeDays {
+		changes["maxAgeDays"] = changed.MaxAgeDays
+	}
+	if p.ExpireWarnDays != changed.ExpireWarnDays {
+		changes["expireWarnDays"] = changed.ExpireWarnDays
+	}
+	return changes
+}
+
+func (i *IAM) appendAddPasswordAgePolicyEvent(event *es_models.Event) error {
+	i.DefaultPasswordAgePolicy = new(PasswordAgePolicy)
+	err := i.DefaultPasswordAgePolicy.SetData(event)
+	if err != nil {
+		return err
+	}
+	i.DefaultPasswordAgePolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (i *IAM) appendChangePasswordAgePolicyEvent(event *es_models.Event) error {
+	return i.DefaultPasswordAgePolicy.SetData(event)
+}
+
+func (p *PasswordAgePolicy) SetData(event *es_models.Event) error {
+	err := json.Unmarshal(event.Data, p)
+	if err != nil {
+		return errors.ThrowInternal(err, "EVENT-7JS9d", "unable to unmarshal data")
+	}
+	return nil
+}

internal/iam/repository/eventsourcing/model/password_age_policy_test.go

@@ -0,0 +1,128 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"testing"
+)
+
+func TestPasswordAgePolicyChanges(t *testing.T) {
+	type args struct {
+		existing *PasswordAgePolicy
+		new      *PasswordAgePolicy
+	}
+	type res struct {
+		changesLen int
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "age policy all attributes change",
+			args: args{
+				existing: &PasswordAgePolicy{MaxAgeDays: 365, ExpireWarnDays: 5},
+				new:      &PasswordAgePolicy{MaxAgeDays: 730, ExpireWarnDays: 10},
+			},
+			res: res{
+				changesLen: 2,
+			},
+		},
+		{
+			name: "no changes",
+			args: args{
+				existing: &PasswordAgePolicy{MaxAgeDays: 10, ExpireWarnDays: 10},
+				new:      &PasswordAgePolicy{MaxAgeDays: 10, ExpireWarnDays: 10},
+			},
+			res: res{
+				changesLen: 0,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			changes := tt.args.existing.Changes(tt.args.new)
+			if len(changes) != tt.res.changesLen {
+				t.Errorf("got wrong changes len: expected: %v, actual: %v ", tt.res.changesLen, len(changes))
+			}
+		})
+	}
+}
+
+func TestAppendAddPasswordAgePolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *PasswordAgePolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append add password age policy event",
+			args: args{
+				iam:    new(IAM),
+				policy: &PasswordAgePolicy{MaxAgeDays: 10, ExpireWarnDays: 10},
+				event:  new(es_models.Event),
+			},
+			result: &IAM{DefaultPasswordAgePolicy: &PasswordAgePolicy{MaxAgeDays: 10, ExpireWarnDays: 10}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendAddPasswordAgePolicyEvent(tt.args.event)
+			if tt.result.DefaultPasswordAgePolicy.MaxAgeDays != tt.args.iam.DefaultPasswordAgePolicy.MaxAgeDays {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordAgePolicy.MaxAgeDays, tt.args.iam.DefaultPasswordAgePolicy.MaxAgeDays)
+			}
+			if tt.result.DefaultPasswordAgePolicy.ExpireWarnDays != tt.args.iam.DefaultPasswordAgePolicy.ExpireWarnDays {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordAgePolicy.ExpireWarnDays, tt.args.iam.DefaultPasswordAgePolicy.ExpireWarnDays)
+			}
+		})
+	}
+}
+
+func TestAppendChangePasswordAgePolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *PasswordAgePolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append change password age policy event",
+			args: args{
+				iam: &IAM{DefaultPasswordAgePolicy: &PasswordAgePolicy{
+					MaxAgeDays: 10,
+				}},
+				policy: &PasswordAgePolicy{MaxAgeDays: 5},
+				event:  &es_models.Event{},
+			},
+			result: &IAM{DefaultPasswordAgePolicy: &PasswordAgePolicy{
+				MaxAgeDays: 5,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendChangePasswordAgePolicyEvent(tt.args.event)
+			if tt.result.DefaultPasswordAgePolicy.MaxAgeDays != tt.args.iam.DefaultPasswordAgePolicy.MaxAgeDays {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordAgePolicy.MaxAgeDays, tt.args.iam.DefaultPasswordAgePolicy.MaxAgeDays)
+			}
+		})
+	}
+}

internal/iam/repository/eventsourcing/model/password_complexity_policy.go

@@ -0,0 +1,87 @@
+package model
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+)
+
+type PasswordComplexityPolicy struct {
+	models.ObjectRoot
+
+	State        int32  `json:"-"`
+	MinLength    uint64 `json:"minLength"`
+	HasLowercase bool   `json:"hasLowercase"`
+	HasUppercase bool   `json:"hasUppercase"`
+	HasNumber    bool   `json:"hasNumber"`
+	HasSymbol    bool   `json:"hasSymbol"`
+}
+
+func PasswordComplexityPolicyFromModel(policy *iam_model.PasswordComplexityPolicy) *PasswordComplexityPolicy {
+	return &PasswordComplexityPolicy{
+		ObjectRoot:   policy.ObjectRoot,
+		State:        int32(policy.State),
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
+	}
+}
+
+func PasswordComplexityPolicyToModel(policy *PasswordComplexityPolicy) *iam_model.PasswordComplexityPolicy {
+	return &iam_model.PasswordComplexityPolicy{
+		ObjectRoot:   policy.ObjectRoot,
+		State:        iam_model.PolicyState(policy.State),
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
+	}
+}
+
+func (p *PasswordComplexityPolicy) Changes(changed *PasswordComplexityPolicy) map[string]interface{} {
+	changes := make(map[string]interface{}, 1)
+
+	if p.MinLength != changed.MinLength {
+		changes["minLength"] = changed.MinLength
+	}
+	if p.HasLowercase != changed.HasLowercase {
+		changes["hasLowercase"] = changed.HasLowercase
+	}
+	if p.HasUppercase != changed.HasUppercase {
+		changes["hasUppercase"] = changed.HasUppercase
+	}
+	if p.HasNumber != changed.HasNumber {
+		changes["hasNumber"] = changed.HasNumber
+	}
+	if p.HasSymbol != changed.HasSymbol {
+		changes["hasSymbol"] = changed.HasSymbol
+	}
+	return changes
+}
+
+func (i *IAM) appendAddPasswordComplexityPolicyEvent(event *es_models.Event) error {
+	i.DefaultPasswordComplexityPolicy = new(PasswordComplexityPolicy)
+	err := i.DefaultPasswordComplexityPolicy.SetData(event)
+	if err != nil {
+		return err
+	}
+	i.DefaultPasswordComplexityPolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (i *IAM) appendChangePasswordComplexityPolicyEvent(event *es_models.Event) error {
+	return i.DefaultPasswordComplexityPolicy.SetData(event)
+}
+
+func (p *PasswordComplexityPolicy) SetData(event *es_models.Event) error {
+	err := json.Unmarshal(event.Data, p)
+	if err != nil {
+		return errors.ThrowInternal(err, "EVENT-7JS9d", "unable to unmarshal data")
+	}
+	return nil
+}

internal/iam/repository/eventsourcing/model/password_complexity_policy_test.go

@@ -0,0 +1,137 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"testing"
+)
+
+func TestPasswordComplexityPolicyChanges(t *testing.T) {
+	type args struct {
+		existing *PasswordComplexityPolicy
+		new      *PasswordComplexityPolicy
+	}
+	type res struct {
+		changesLen int
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "loginpolicy all attributes change",
+			args: args{
+				existing: &PasswordComplexityPolicy{MinLength: 10, HasUppercase: true, HasLowercase: true, HasNumber: true, HasSymbol: true},
+				new:      &PasswordComplexityPolicy{MinLength: 5, HasUppercase: false, HasLowercase: false, HasNumber: false, HasSymbol: false},
+			},
+			res: res{
+				changesLen: 5,
+			},
+		},
+		{
+			name: "no changes",
+			args: args{
+				existing: &PasswordComplexityPolicy{MinLength: 10, HasUppercase: true, HasLowercase: true, HasNumber: true, HasSymbol: true},
+				new:      &PasswordComplexityPolicy{MinLength: 10, HasUppercase: true, HasLowercase: true, HasNumber: true, HasSymbol: true},
+			},
+			res: res{
+				changesLen: 0,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			changes := tt.args.existing.Changes(tt.args.new)
+			if len(changes) != tt.res.changesLen {
+				t.Errorf("got wrong changes len: expected: %v, actual: %v ", tt.res.changesLen, len(changes))
+			}
+		})
+	}
+}
+
+func TestAppendAddPasswordComplexityPolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *PasswordComplexityPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append add password complexity policy event",
+			args: args{
+				iam:    new(IAM),
+				policy: &PasswordComplexityPolicy{MinLength: 10, HasUppercase: true, HasLowercase: true, HasNumber: true, HasSymbol: true},
+				event:  new(es_models.Event),
+			},
+			result: &IAM{DefaultPasswordComplexityPolicy: &PasswordComplexityPolicy{MinLength: 10, HasUppercase: true, HasLowercase: true, HasNumber: true, HasSymbol: true}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendAddPasswordComplexityPolicyEvent(tt.args.event)
+			if tt.result.DefaultPasswordComplexityPolicy.MinLength != tt.args.iam.DefaultPasswordComplexityPolicy.MinLength {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordComplexityPolicy.MinLength, tt.args.iam.DefaultPasswordComplexityPolicy.MinLength)
+			}
+			if tt.result.DefaultPasswordComplexityPolicy.HasUppercase != tt.args.iam.DefaultPasswordComplexityPolicy.HasUppercase {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordComplexityPolicy.HasUppercase, tt.args.iam.DefaultPasswordComplexityPolicy.HasUppercase)
+			}
+			if tt.result.DefaultPasswordComplexityPolicy.HasLowercase != tt.args.iam.DefaultPasswordComplexityPolicy.HasLowercase {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordComplexityPolicy.HasLowercase, tt.args.iam.DefaultPasswordComplexityPolicy.HasLowercase)
+			}
+			if tt.result.DefaultPasswordComplexityPolicy.HasNumber != tt.args.iam.DefaultPasswordComplexityPolicy.HasNumber {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordComplexityPolicy.HasNumber, tt.args.iam.DefaultPasswordComplexityPolicy.HasNumber)
+			}
+			if tt.result.DefaultPasswordComplexityPolicy.HasSymbol != tt.args.iam.DefaultPasswordComplexityPolicy.HasSymbol {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordComplexityPolicy.HasSymbol, tt.args.iam.DefaultPasswordComplexityPolicy.HasSymbol)
+			}
+		})
+	}
+}
+
+func TestAppendChangePasswordComplexityPolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *PasswordComplexityPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append change password complexity policy event",
+			args: args{
+				iam: &IAM{DefaultPasswordComplexityPolicy: &PasswordComplexityPolicy{
+					MinLength: 10,
+				}},
+				policy: &PasswordComplexityPolicy{MinLength: 5},
+				event:  &es_models.Event{},
+			},
+			result: &IAM{DefaultPasswordComplexityPolicy: &PasswordComplexityPolicy{
+				MinLength: 5,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendChangePasswordComplexityPolicyEvent(tt.args.event)
+			if tt.result.DefaultPasswordComplexityPolicy.MinLength != tt.args.iam.DefaultPasswordComplexityPolicy.MinLength {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordComplexityPolicy.MinLength, tt.args.iam.DefaultPasswordComplexityPolicy.MinLength)
+			}
+		})
+	}
+}

internal/iam/repository/eventsourcing/model/password_lockout_policy.go

@@ -0,0 +1,69 @@
+package model
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+)
+
+type PasswordLockoutPolicy struct {
+	models.ObjectRoot
+
+	State               int32  `json:"-"`
+	MaxAttempts         uint64 `json:"maxAttempts"`
+	ShowLockOutFailures bool   `json:"showLockOutFailures"`
+}
+
+func PasswordLockoutPolicyFromModel(policy *iam_model.PasswordLockoutPolicy) *PasswordLockoutPolicy {
+	return &PasswordLockoutPolicy{
+		ObjectRoot:          policy.ObjectRoot,
+		State:               int32(policy.State),
+		MaxAttempts:         policy.MaxAttempts,
+		ShowLockOutFailures: policy.ShowLockOutFailures,
+	}
+}
+
+func PasswordLockoutPolicyToModel(policy *PasswordLockoutPolicy) *iam_model.PasswordLockoutPolicy {
+	return &iam_model.PasswordLockoutPolicy{
+		ObjectRoot:          policy.ObjectRoot,
+		State:               iam_model.PolicyState(policy.State),
+		MaxAttempts:         policy.MaxAttempts,
+		ShowLockOutFailures: policy.ShowLockOutFailures,
+	}
+}
+
+func (p *PasswordLockoutPolicy) Changes(changed *PasswordLockoutPolicy) map[string]interface{} {
+	changes := make(map[string]interface{}, 2)
+
+	if p.MaxAttempts != changed.MaxAttempts {
+		changes["maxAttempts"] = changed.MaxAttempts
+	}
+	if p.ShowLockOutFailures != changed.ShowLockOutFailures {
+		changes["showLockOutFailures"] = changed.ShowLockOutFailures
+	}
+	return changes
+}
+
+func (i *IAM) appendAddPasswordLockoutPolicyEvent(event *es_models.Event) error {
+	i.DefaultPasswordLockoutPolicy = new(PasswordLockoutPolicy)
+	err := i.DefaultPasswordLockoutPolicy.SetData(event)
+	if err != nil {
+		return err
+	}
+	i.DefaultPasswordLockoutPolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (i *IAM) appendChangePasswordLockoutPolicyEvent(event *es_models.Event) error {
+	return i.DefaultPasswordLockoutPolicy.SetData(event)
+}
+
+func (p *PasswordLockoutPolicy) SetData(event *es_models.Event) error {
+	err := json.Unmarshal(event.Data, p)
+	if err != nil {
+		return errors.ThrowInternal(err, "EVENT-7JS9d", "unable to unmarshal data")
+	}
+	return nil
+}

internal/iam/repository/eventsourcing/model/password_lockout_policy_test.go

@@ -0,0 +1,128 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"testing"
+)
+
+func TestPasswordLockoutPolicyChanges(t *testing.T) {
+	type args struct {
+		existing *PasswordLockoutPolicy
+		new      *PasswordLockoutPolicy
+	}
+	type res struct {
+		changesLen int
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "lockout policy all attributes change",
+			args: args{
+				existing: &PasswordLockoutPolicy{MaxAttempts: 365, ShowLockOutFailures: true},
+				new:      &PasswordLockoutPolicy{MaxAttempts: 730, ShowLockOutFailures: false},
+			},
+			res: res{
+				changesLen: 2,
+			},
+		},
+		{
+			name: "no changes",
+			args: args{
+				existing: &PasswordLockoutPolicy{MaxAttempts: 10, ShowLockOutFailures: true},
+				new:      &PasswordLockoutPolicy{MaxAttempts: 10, ShowLockOutFailures: true},
+			},
+			res: res{
+				changesLen: 0,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			changes := tt.args.existing.Changes(tt.args.new)
+			if len(changes) != tt.res.changesLen {
+				t.Errorf("got wrong changes len: expected: %v, actual: %v ", tt.res.changesLen, len(changes))
+			}
+		})
+	}
+}
+
+func TestAppendAddPasswordLockoutPolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *PasswordLockoutPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append add password lockout policy event",
+			args: args{
+				iam:    new(IAM),
+				policy: &PasswordLockoutPolicy{MaxAttempts: 10, ShowLockOutFailures: true},
+				event:  new(es_models.Event),
+			},
+			result: &IAM{DefaultPasswordLockoutPolicy: &PasswordLockoutPolicy{MaxAttempts: 10, ShowLockOutFailures: true}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendAddPasswordLockoutPolicyEvent(tt.args.event)
+			if tt.result.DefaultPasswordLockoutPolicy.MaxAttempts != tt.args.iam.DefaultPasswordLockoutPolicy.MaxAttempts {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordLockoutPolicy.MaxAttempts, tt.args.iam.DefaultPasswordLockoutPolicy.MaxAttempts)
+			}
+			if tt.result.DefaultPasswordLockoutPolicy.ShowLockOutFailures != tt.args.iam.DefaultPasswordLockoutPolicy.ShowLockOutFailures {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordLockoutPolicy.ShowLockOutFailures, tt.args.iam.DefaultPasswordLockoutPolicy.ShowLockOutFailures)
+			}
+		})
+	}
+}
+
+func TestAppendChangePasswordLockoutPolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *PasswordLockoutPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append change password lockout policy event",
+			args: args{
+				iam: &IAM{DefaultPasswordLockoutPolicy: &PasswordLockoutPolicy{
+					MaxAttempts: 10,
+				}},
+				policy: &PasswordLockoutPolicy{MaxAttempts: 5},
+				event:  &es_models.Event{},
+			},
+			result: &IAM{DefaultPasswordLockoutPolicy: &PasswordLockoutPolicy{
+				MaxAttempts: 5,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendChangePasswordLockoutPolicyEvent(tt.args.event)
+			if tt.result.DefaultPasswordLockoutPolicy.MaxAttempts != tt.args.iam.DefaultPasswordLockoutPolicy.MaxAttempts {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordLockoutPolicy.MaxAttempts, tt.args.iam.DefaultPasswordLockoutPolicy.MaxAttempts)
+			}
+		})
+	}
+}

internal/iam/repository/eventsourcing/model/types.go

@@ -30,4 +30,16 @@ const (
 	LoginPolicyIDPProviderAdded          models.EventType = "iam.policy.login.idpprovider.added"
 	LoginPolicyIDPProviderRemoved        models.EventType = "iam.policy.login.idpprovider.removed"
 	LoginPolicyIDPProviderCascadeRemoved models.EventType = "iam.policy.login.idpprovider.cascade.removed"
+
+	PasswordComplexityPolicyAdded   models.EventType = "iam.policy.password.complexity.added"
+	PasswordComplexityPolicyChanged models.EventType = "iam.policy.password.complexity.changed"
+
+	PasswordAgePolicyAdded   models.EventType = "iam.policy.password.age.added"
+	PasswordAgePolicyChanged models.EventType = "iam.policy.password.age.changed"
+
+	PasswordLockoutPolicyAdded   models.EventType = "iam.policy.password.lockout.added"
+	PasswordLockoutPolicyChanged models.EventType = "iam.policy.password.lockout.changed"
+
+	OrgIAMPolicyAdded   models.EventType = "iam.policy.org.iam.added"
+	OrgIAMPolicyChanged models.EventType = "iam.policy.org.iam.changed"
 )