feat: impersonation roles (#7442)

* partial work done

* test IAM membership roles

* org membership tests

* console :(, translations and docs

* fix integration test

* fix tests

* add EnableImpersonation to security policy API

* fix integration test timestamp checking

* add security policy tests and fix projections

* add impersonation setting in console

* add security settings to the settings v2 API

* fix typo

* move impersonation to instance

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/integration/assert.go

@@ -5,12 +5,22 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"google.golang.org/protobuf/types/known/timestamppb"
 
 	object "github.com/zitadel/zitadel/pkg/grpc/object/v2beta"
 )
 
-type DetailsMsg interface {
-	GetDetails() *object.Details
+// Details is the interface that covers both v1 and v2 proto generated object details.
+type Details interface {
+	comparable
+	GetSequence() uint64
+	GetChangeDate() *timestamppb.Timestamp
+	GetResourceOwner() string
+}
+
+// DetailsMsg is the interface that covers all proto messages which contain v1 or v2 object details.
+type DetailsMsg[D Details] interface {
+	GetDetails() D
 }
 
 type ListDetailsMsg interface {
@@ -24,22 +34,24 @@ type ListDetailsMsg interface {
 // Dynamically generated values are not compared with expected.
 // Instead a sanity check is performed.
 // For the sequence a non-zero value is expected.
-// The change date has to be now, with a tollerance of 1 second.
+// If the change date is populated, it is checked with a tolerance of 1 minute around Now.
 //
-// The resource owner is compared with expected and is
-// therefore the only value that has to be set.
-func AssertDetails[D DetailsMsg](t testing.TB, expected, actual D) {
+// The resource owner is compared with expected.
+func AssertDetails[D Details, M DetailsMsg[D]](t testing.TB, expected, actual M) {
 	wantDetails, gotDetails := expected.GetDetails(), actual.GetDetails()
-	if wantDetails == nil {
+	var nilDetails D
+	if wantDetails == nilDetails {
 		assert.Nil(t, gotDetails)
 		return
 	}
 
 	assert.NotZero(t, gotDetails.GetSequence())
 
-	gotCD := gotDetails.GetChangeDate().AsTime()
-	now := time.Now()
-	assert.WithinRange(t, gotCD, now.Add(-time.Minute), now.Add(time.Minute))
+	if wantDetails.GetChangeDate() != nil {
+		wantChangeDate := time.Now()
+		gotChangeDate := gotDetails.GetChangeDate().AsTime()
+		assert.WithinRange(t, gotChangeDate, wantChangeDate.Add(-time.Minute), wantChangeDate.Add(time.Minute))
+	}
 
 	assert.Equal(t, wantDetails.GetResourceOwner(), gotDetails.GetResourceOwner())
 }

internal/integration/assert_test.go

@@ -32,6 +32,7 @@ func TestAssertDetails(t *testing.T) {
 			exptected: myMsg{
 				details: &object.Details{
 					ResourceOwner: "me",
+					ChangeDate:    timestamppb.Now(),
 				},
 			},
 			actual: myMsg{

internal/integration/client.go

@@ -34,6 +34,7 @@ import (
 	org "github.com/zitadel/zitadel/pkg/grpc/org/v2beta"
 	organisation "github.com/zitadel/zitadel/pkg/grpc/org/v2beta"
 	session "github.com/zitadel/zitadel/pkg/grpc/session/v2beta"
+	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
 	"github.com/zitadel/zitadel/pkg/grpc/system"
 	user_pb "github.com/zitadel/zitadel/pkg/grpc/user"
 	user "github.com/zitadel/zitadel/pkg/grpc/user/v2beta"
@@ -46,6 +47,7 @@ type Client struct {
 	Auth        auth.AuthServiceClient
 	UserV2      user.UserServiceClient
 	SessionV2   session.SessionServiceClient
+	SettingsV2  settings.SettingsServiceClient
 	OIDCv2      oidc_pb.OIDCServiceClient
 	OrgV2       organisation.OrganizationServiceClient
 	System      system.SystemServiceClient
@@ -61,6 +63,7 @@ func newClient(cc *grpc.ClientConn) Client {
 		Auth:        auth.NewAuthServiceClient(cc),
 		UserV2:      user.NewUserServiceClient(cc),
 		SessionV2:   session.NewSessionServiceClient(cc),
+		SettingsV2:  settings.NewSettingsServiceClient(cc),
 		OIDCv2:      oidc_pb.NewOIDCServiceClient(cc),
 		OrgV2:       organisation.NewOrganizationServiceClient(cc),
 		System:      system.NewSystemServiceClient(cc),