feat: policies on aggregates (#799)

* feat: move pw policy

* feat: default pw complexity policy

* fix: org password complexity policy

* fix: org password complexity policy

* fix: pw complexity policy with setup

* fix: age and lockout policies on aggregates

* fix: migration

* fix: org iam policy

* fix: org iam policy

* fix: org iam policy

* fix: tests

* fix: policy request

* fix: merge master

* fix(console): policies frontend (#817)

* fix policy build

* fix: age, complexity, lockout policies

* fix: ready return err of setup not done

* fix: fix remove policies in spoolers

* fix: fix remove policies in spoolers

* feat(console): policy settings for iam and org (#824)

* fix policy build

* fix: age, complexity, lockout policies

* fix pwd complexity

* policy remove action

* add imports

* fix accounts card, enable mgmt login policy

* lint

* add iam policy to admin

* toasts, i18n, show default

* routing, i18n

* reset policy, toast i18n, cleanup, routing

* policy delete permission

* lint style

* delete iam policy

* delete non project from grid list, i18n

* lint ts, style

* fix: remove instead delete

* feat(console): delete external idp from user (#835)

* dialog i18n, delete column and function

* dialog i18n

* fix rm button

* Update console/src/assets/i18n/de.json

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* Update console/src/assets/i18n/de.json

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* fix: revert env, rename policy, remove comments

* fix: lowercase sich

* fix: pr requests

* Update internal/iam/repository/eventsourcing/eventstore_test.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* fix: tests

* fix: tests

* fix(console): policies (#839)

* fix: nil pointer on get userdata (#815)

* fix: external login (#818)

* fix: external login

* fix: external login

* feat(console): delete user (#819)

* add action col to user table, i18n

* delete user from detail component

* lint

* fix(console): cleanup user detail and member components, user/me redirect, permission guards, filter, org policy guard, user table, scss cleanup (#808)

* fix: remove user.write guard for filtering

* border color

* fix user routing from member tables

* idp detail layout

* generic contact component

* fix redirect to auth user, user grant disable

* disable policy action without permission, i18n

* user-create flex fix, contact ng-content

* rm unused styles

* sidenav divider

* lint

* chore(deps-dev): bump @angular/cli from 10.1.3 to 10.1.4 in /console (#806)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps-dev): bump @angular/cli from 10.1.3 to 10.1.4 in /console

Bumps [@angular/cli](https://github.com/angular/angular-cli) from 10.1.3 to 10.1.4.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v10.1.3...v10.1.4)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/language-service from 10.1.3 to 10.1.4 in /console (#805)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps-dev): bump @angular/language-service in /console

Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 10.1.3 to 10.1.4.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/10.1.4/packages/language-service)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump codelyzer from 6.0.0 to 6.0.1 in /console (#804)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps-dev): bump codelyzer from 6.0.0 to 6.0.1 in /console

Bumps [codelyzer](https://github.com/mgechev/codelyzer) from 6.0.0 to 6.0.1.
- [Release notes](https://github.com/mgechev/codelyzer/releases)
- [Changelog](https://github.com/mgechev/codelyzer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mgechev/codelyzer/commits/6.0.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular-devkit/build-angular from 0.1000.8 to 0.1001.4 in /console (#803)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps-dev): bump @angular-devkit/build-angular in /console

Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1000.8 to 0.1001.4.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>

* chore(deps): bump uuid from 8.3.0 to 8.3.1 in /console (#802)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps): bump uuid from 8.3.0 to 8.3.1 in /console

Bumps [uuid](https://github.com/uuidjs/uuid) from 8.3.0 to 8.3.1.
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/master/CHANGELOG.md)
- [Commits](https://github.com/uuidjs/uuid/compare/v8.3.0...v8.3.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* create memberstable as common component

* iam member cleanup

* iam + org m table, user table service user avatar

* toast config

* fix selection emitter

* fix project grant table width

* project grant members refactor

* theme optimizations

* member table col delete

* lint

* fix table row color

* refactor grey color

* lint scss

* org list redirect on click, fix user table undef

* refresh table after grant add

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>

* fix(console): intercept navigator.language, set browser lang as default for user without explicit setting, user table outline, member create dialog import (#820)

* i18n interceptor, set language to browser lang

* nullcheck

* rm external idp log

* fix module imports, rm user displayname from i18n

* Update console/src/assets/i18n/de.json

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* fix: delete external idps from users (#822)

* fix(console): permission regex, account switcher null check, restrict app and member create access (#821)

* fix member table disable, gerneal regexp

* fix user session card, app disable

* memberships max count

* fix policy permissions

* permission check for member add dialog

* lint

* rm accounts log

* rm id regex

* fix: handle usermemberships on project and project grant delete (#825)

* fix: go handler

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>

* fix: tests

* fix: not needed error handling

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>

internal/org/repository/eventsourcing/model/org.go

@@ -20,11 +20,14 @@ type Org struct {
 	Name  string `json:"name,omitempty"`
 	State int32  `json:"-"`
 
-	Domains      []*OrgDomain              `json:"-"`
-	Members      []*OrgMember              `json:"-"`
-	OrgIamPolicy *OrgIAMPolicy             `json:"-"`
-	LoginPolicy  *iam_es_model.LoginPolicy `json:"-"`
-	IDPs         []*iam_es_model.IDPConfig `json:"-"`
+	Domains                  []*OrgDomain                           `json:"-"`
+	Members                  []*OrgMember                           `json:"-"`
+	OrgIAMPolicy             *iam_es_model.OrgIAMPolicy             `json:"-"`
+	IDPs                     []*iam_es_model.IDPConfig              `json:"-"`
+	LoginPolicy              *iam_es_model.LoginPolicy              `json:"-"`
+	PasswordComplexityPolicy *iam_es_model.PasswordComplexityPolicy `json:"-"`
+	PasswordAgePolicy        *iam_es_model.PasswordAgePolicy        `json:"-"`
+	PasswordLockoutPolicy    *iam_es_model.PasswordLockoutPolicy    `json:"-"`
 }
 
 func OrgFromModel(org *org_model.Org) *Org {
@@ -40,11 +43,20 @@ func OrgFromModel(org *org_model.Org) *Org {
 		IDPs:       idps,
 	}
 	if org.OrgIamPolicy != nil {
-		converted.OrgIamPolicy = OrgIAMPolicyFromModel(org.OrgIamPolicy)
+		converted.OrgIAMPolicy = iam_es_model.OrgIAMPolicyFromModel(org.OrgIamPolicy)
 	}
 	if org.LoginPolicy != nil {
 		converted.LoginPolicy = iam_es_model.LoginPolicyFromModel(org.LoginPolicy)
 	}
+	if org.PasswordComplexityPolicy != nil {
+		converted.PasswordComplexityPolicy = iam_es_model.PasswordComplexityPolicyFromModel(org.PasswordComplexityPolicy)
+	}
+	if org.PasswordAgePolicy != nil {
+		converted.PasswordAgePolicy = iam_es_model.PasswordAgePolicyFromModel(org.PasswordAgePolicy)
+	}
+	if org.PasswordLockoutPolicy != nil {
+		converted.PasswordLockoutPolicy = iam_es_model.PasswordLockoutPolicyFromModel(org.PasswordLockoutPolicy)
+	}
 	return converted
 }
 
@@ -57,12 +69,21 @@ func OrgToModel(org *Org) *org_model.Org {
 		Members:    OrgMembersToModel(org.Members),
 		IDPs:       iam_es_model.IDPConfigsToModel(org.IDPs),
 	}
-	if org.OrgIamPolicy != nil {
-		converted.OrgIamPolicy = OrgIAMPolicyToModel(org.OrgIamPolicy)
+	if org.OrgIAMPolicy != nil {
+		converted.OrgIamPolicy = iam_es_model.OrgIAMPolicyToModel(org.OrgIAMPolicy)
 	}
 	if org.LoginPolicy != nil {
 		converted.LoginPolicy = iam_es_model.LoginPolicyToModel(org.LoginPolicy)
 	}
+	if org.PasswordComplexityPolicy != nil {
+		converted.PasswordComplexityPolicy = iam_es_model.PasswordComplexityPolicyToModel(org.PasswordComplexityPolicy)
+	}
+	if org.PasswordAgePolicy != nil {
+		converted.PasswordAgePolicy = iam_es_model.PasswordAgePolicyToModel(org.PasswordAgePolicy)
+	}
+	if org.PasswordLockoutPolicy != nil {
+		converted.PasswordLockoutPolicy = iam_es_model.PasswordLockoutPolicyToModel(org.PasswordLockoutPolicy)
+	}
 	return converted
 }
 
@@ -164,6 +185,24 @@ func (o *Org) AppendEvent(event *es_models.Event) (err error) {
 		err = o.appendAddIdpProviderToLoginPolicyEvent(event)
 	case LoginPolicyIDPProviderRemoved:
 		err = o.appendRemoveIdpProviderFromLoginPolicyEvent(event)
+	case PasswordComplexityPolicyAdded:
+		err = o.appendAddPasswordComplexityPolicyEvent(event)
+	case PasswordComplexityPolicyChanged:
+		err = o.appendChangePasswordComplexityPolicyEvent(event)
+	case PasswordComplexityPolicyRemoved:
+		o.appendRemovePasswordComplexityPolicyEvent(event)
+	case PasswordAgePolicyAdded:
+		err = o.appendAddPasswordAgePolicyEvent(event)
+	case PasswordAgePolicyChanged:
+		err = o.appendChangePasswordAgePolicyEvent(event)
+	case PasswordAgePolicyRemoved:
+		o.appendRemovePasswordAgePolicyEvent(event)
+	case PasswordLockoutPolicyAdded:
+		err = o.appendAddPasswordLockoutPolicyEvent(event)
+	case PasswordLockoutPolicyChanged:
+		err = o.appendChangePasswordLockoutPolicyEvent(event)
+	case PasswordLockoutPolicyRemoved:
+		o.appendRemovePasswordLockoutPolicyEvent(event)
 	}
 	if err != nil {
 		return err

internal/org/repository/eventsourcing/model/org_iam_policy.go

@@ -1,72 +1,24 @@
 package model
 
 import (
-	"encoding/json"
-	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/models"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
-	org_model "github.com/caos/zitadel/internal/org/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
 )
 
-type OrgIAMPolicy struct {
-	models.ObjectRoot
-
-	Description           string `json:"description,omitempty"`
-	State                 int32  `json:"-"`
-	UserLoginMustBeDomain bool   `json:"userLoginMustBeDomain"`
-}
-
-func OrgIAMPolicyToModel(policy *OrgIAMPolicy) *org_model.OrgIAMPolicy {
-	return &org_model.OrgIAMPolicy{
-		ObjectRoot:            policy.ObjectRoot,
-		State:                 org_model.PolicyState(policy.State),
-		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
-	}
-}
-
-func OrgIAMPolicyFromModel(policy *org_model.OrgIAMPolicy) *OrgIAMPolicy {
-	return &OrgIAMPolicy{
-		ObjectRoot:            policy.ObjectRoot,
-		State:                 int32(policy.State),
-		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
-	}
-}
-
 func (o *Org) appendAddOrgIAMPolicyEvent(event *es_models.Event) error {
-	o.OrgIamPolicy = new(OrgIAMPolicy)
-	err := o.OrgIamPolicy.SetData(event)
+	o.OrgIAMPolicy = new(iam_es_model.OrgIAMPolicy)
+	err := o.OrgIAMPolicy.SetData(event)
 	if err != nil {
 		return err
 	}
-	o.OrgIamPolicy.ObjectRoot.CreationDate = event.CreationDate
+	o.OrgIAMPolicy.ObjectRoot.CreationDate = event.CreationDate
 	return nil
 }
 
 func (o *Org) appendChangeOrgIAMPolicyEvent(event *es_models.Event) error {
-	return o.OrgIamPolicy.SetData(event)
+	return o.OrgIAMPolicy.SetData(event)
 }
 
 func (o *Org) appendRemoveOrgIAMPolicyEvent() {
-	o.OrgIamPolicy = nil
-}
-
-func (p *OrgIAMPolicy) Changes(changed *OrgIAMPolicy) map[string]interface{} {
-	changes := make(map[string]interface{}, 2)
-
-	if changed.Description != p.Description {
-		changes["description"] = changed.Description
-	}
-	if changed.UserLoginMustBeDomain != p.UserLoginMustBeDomain {
-		changes["userLoginMustBeDomain"] = changed.UserLoginMustBeDomain
-	}
-
-	return changes
-}
-
-func (p *OrgIAMPolicy) SetData(event *es_models.Event) error {
-	err := json.Unmarshal(event.Data, p)
-	if err != nil {
-		return errors.ThrowInternal(err, "EVENT-7JS9d", "unable to unmarshal data")
-	}
-	return nil
+	o.OrgIAMPolicy = nil
 }

internal/org/repository/eventsourcing/model/password_age_policy.go

@@ -0,0 +1,24 @@
+package model
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+)
+
+func (o *Org) appendAddPasswordAgePolicyEvent(event *es_models.Event) error {
+	o.PasswordAgePolicy = new(iam_es_model.PasswordAgePolicy)
+	err := o.PasswordAgePolicy.SetData(event)
+	if err != nil {
+		return err
+	}
+	o.PasswordAgePolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (o *Org) appendChangePasswordAgePolicyEvent(event *es_models.Event) error {
+	return o.PasswordAgePolicy.SetData(event)
+}
+
+func (o *Org) appendRemovePasswordAgePolicyEvent(event *es_models.Event) {
+	o.PasswordAgePolicy = nil
+}

internal/org/repository/eventsourcing/model/password_age_policy_test.go

@@ -0,0 +1,86 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"testing"
+)
+
+func TestAppendAddPasswordAgePolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.PasswordAgePolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append add password age policy event",
+			args: args{
+				org:    &Org{},
+				policy: &iam_es_model.PasswordAgePolicy{MaxAgeDays: 10},
+				event:  &es_models.Event{},
+			},
+			result: &Org{PasswordAgePolicy: &iam_es_model.PasswordAgePolicy{MaxAgeDays: 10}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendAddPasswordAgePolicyEvent(tt.args.event)
+			if tt.result.PasswordAgePolicy.MaxAgeDays != tt.args.org.PasswordAgePolicy.MaxAgeDays {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordAgePolicy.MaxAgeDays, tt.args.org.PasswordAgePolicy.MaxAgeDays)
+			}
+		})
+	}
+}
+
+func TestAppendChangePasswordAgePolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.PasswordAgePolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append change password age policy event",
+			args: args{
+				org: &Org{PasswordAgePolicy: &iam_es_model.PasswordAgePolicy{
+					MaxAgeDays: 10,
+				}},
+				policy: &iam_es_model.PasswordAgePolicy{MaxAgeDays: 5, ExpireWarnDays: 10},
+				event:  &es_models.Event{},
+			},
+			result: &Org{PasswordAgePolicy: &iam_es_model.PasswordAgePolicy{
+				MaxAgeDays:     5,
+				ExpireWarnDays: 10,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendChangePasswordAgePolicyEvent(tt.args.event)
+			if tt.result.PasswordAgePolicy.MaxAgeDays != tt.args.org.PasswordAgePolicy.MaxAgeDays {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordAgePolicy.MaxAgeDays, tt.args.org.PasswordAgePolicy.MaxAgeDays)
+			}
+			if tt.result.PasswordAgePolicy.ExpireWarnDays != tt.args.org.PasswordAgePolicy.ExpireWarnDays {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordAgePolicy.ExpireWarnDays, tt.args.org.PasswordAgePolicy.ExpireWarnDays)
+			}
+		})
+	}
+}

internal/org/repository/eventsourcing/model/password_complexity_policy.go

@@ -0,0 +1,24 @@
+package model
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+)
+
+func (o *Org) appendAddPasswordComplexityPolicyEvent(event *es_models.Event) error {
+	o.PasswordComplexityPolicy = new(iam_es_model.PasswordComplexityPolicy)
+	err := o.PasswordComplexityPolicy.SetData(event)
+	if err != nil {
+		return err
+	}
+	o.PasswordComplexityPolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (o *Org) appendChangePasswordComplexityPolicyEvent(event *es_models.Event) error {
+	return o.PasswordComplexityPolicy.SetData(event)
+}
+
+func (o *Org) appendRemovePasswordComplexityPolicyEvent(event *es_models.Event) {
+	o.PasswordComplexityPolicy = nil
+}

internal/org/repository/eventsourcing/model/password_complexity_policy_test.go

@@ -0,0 +1,86 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"testing"
+)
+
+func TestAppendAddPasswordComplexityPolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.PasswordComplexityPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append add password complexity policy event",
+			args: args{
+				org:    &Org{},
+				policy: &iam_es_model.PasswordComplexityPolicy{MinLength: 10},
+				event:  &es_models.Event{},
+			},
+			result: &Org{PasswordComplexityPolicy: &iam_es_model.PasswordComplexityPolicy{MinLength: 10}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendAddPasswordComplexityPolicyEvent(tt.args.event)
+			if tt.result.PasswordComplexityPolicy.MinLength != tt.args.org.PasswordComplexityPolicy.MinLength {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordComplexityPolicy.MinLength, tt.args.org.PasswordComplexityPolicy.MinLength)
+			}
+		})
+	}
+}
+
+func TestAppendChangePasswordComplexityPolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.PasswordComplexityPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append change password complexity policy event",
+			args: args{
+				org: &Org{PasswordComplexityPolicy: &iam_es_model.PasswordComplexityPolicy{
+					MinLength: 10,
+				}},
+				policy: &iam_es_model.PasswordComplexityPolicy{MinLength: 5, HasLowercase: true},
+				event:  &es_models.Event{},
+			},
+			result: &Org{PasswordComplexityPolicy: &iam_es_model.PasswordComplexityPolicy{
+				MinLength:    5,
+				HasLowercase: true,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendChangePasswordComplexityPolicyEvent(tt.args.event)
+			if tt.result.PasswordComplexityPolicy.MinLength != tt.args.org.PasswordComplexityPolicy.MinLength {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordComplexityPolicy.MinLength, tt.args.org.PasswordComplexityPolicy.MinLength)
+			}
+			if tt.result.PasswordComplexityPolicy.HasLowercase != tt.args.org.PasswordComplexityPolicy.HasLowercase {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordComplexityPolicy.HasLowercase, tt.args.org.PasswordComplexityPolicy.HasLowercase)
+			}
+		})
+	}
+}

internal/org/repository/eventsourcing/model/password_lockout_policy.go

@@ -0,0 +1,24 @@
+package model
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+)
+
+func (o *Org) appendAddPasswordLockoutPolicyEvent(event *es_models.Event) error {
+	o.PasswordLockoutPolicy = new(iam_es_model.PasswordLockoutPolicy)
+	err := o.PasswordLockoutPolicy.SetData(event)
+	if err != nil {
+		return err
+	}
+	o.PasswordLockoutPolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (o *Org) appendChangePasswordLockoutPolicyEvent(event *es_models.Event) error {
+	return o.PasswordLockoutPolicy.SetData(event)
+}
+
+func (o *Org) appendRemovePasswordLockoutPolicyEvent(event *es_models.Event) {
+	o.PasswordLockoutPolicy = nil
+}

internal/org/repository/eventsourcing/model/password_lockout_policy_test.go

@@ -0,0 +1,86 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"testing"
+)
+
+func TestAppendAddPasswordLockoutPolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.PasswordLockoutPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append add password age policy event",
+			args: args{
+				org:    &Org{},
+				policy: &iam_es_model.PasswordLockoutPolicy{MaxAttempts: 10},
+				event:  &es_models.Event{},
+			},
+			result: &Org{PasswordLockoutPolicy: &iam_es_model.PasswordLockoutPolicy{MaxAttempts: 10}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendAddPasswordLockoutPolicyEvent(tt.args.event)
+			if tt.result.PasswordLockoutPolicy.MaxAttempts != tt.args.org.PasswordLockoutPolicy.MaxAttempts {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordLockoutPolicy.MaxAttempts, tt.args.org.PasswordLockoutPolicy.MaxAttempts)
+			}
+		})
+	}
+}
+
+func TestAppendChangePasswordLockoutPolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.PasswordLockoutPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append change password age policy event",
+			args: args{
+				org: &Org{PasswordLockoutPolicy: &iam_es_model.PasswordLockoutPolicy{
+					MaxAttempts: 10,
+				}},
+				policy: &iam_es_model.PasswordLockoutPolicy{MaxAttempts: 5, ShowLockOutFailures: true},
+				event:  &es_models.Event{},
+			},
+			result: &Org{PasswordLockoutPolicy: &iam_es_model.PasswordLockoutPolicy{
+				MaxAttempts:         5,
+				ShowLockOutFailures: true,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendChangePasswordLockoutPolicyEvent(tt.args.event)
+			if tt.result.PasswordLockoutPolicy.MaxAttempts != tt.args.org.PasswordLockoutPolicy.MaxAttempts {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordLockoutPolicy.MaxAttempts, tt.args.org.PasswordLockoutPolicy.MaxAttempts)
+			}
+			if tt.result.PasswordLockoutPolicy.ShowLockOutFailures != tt.args.org.PasswordLockoutPolicy.ShowLockOutFailures {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordLockoutPolicy.ShowLockOutFailures, tt.args.org.PasswordLockoutPolicy.ShowLockOutFailures)
+			}
+		})
+	}
+}

internal/org/repository/eventsourcing/model/types.go

@@ -51,4 +51,16 @@ const (
 	LoginPolicyIDPProviderAdded          models.EventType = "org.policy.login.idpprovider.added"
 	LoginPolicyIDPProviderRemoved        models.EventType = "org.policy.login.idpprovider.removed"
 	LoginPolicyIDPProviderCascadeRemoved models.EventType = "org.policy.login.idpprovider.cascade.removed"
+
+	PasswordComplexityPolicyAdded   models.EventType = "org.policy.password.complexity.added"
+	PasswordComplexityPolicyChanged models.EventType = "org.policy.password.complexity.changed"
+	PasswordComplexityPolicyRemoved models.EventType = "org.policy.password.complexity.removed"
+
+	PasswordAgePolicyAdded   models.EventType = "org.policy.password.age.added"
+	PasswordAgePolicyChanged models.EventType = "org.policy.password.age.changed"
+	PasswordAgePolicyRemoved models.EventType = "org.policy.password.age.removed"
+
+	PasswordLockoutPolicyAdded   models.EventType = "org.policy.password.lockout.added"
+	PasswordLockoutPolicyChanged models.EventType = "org.policy.password.lockout.changed"
+	PasswordLockoutPolicyRemoved models.EventType = "org.policy.password.lockout.removed"
 )