feat: impersonation roles (#7442)

* partial work done

* test IAM membership roles

* org membership tests

* console :(, translations and docs

* fix integration test

* fix tests

* add EnableImpersonation to security policy API

* fix integration test timestamp checking

* add security policy tests and fix projections

* add impersonation setting in console

* add security settings to the settings v2 API

* fix typo

* move impersonation to instance

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/repository/instance/policy_security.go

@@ -15,8 +15,12 @@ const (
 type SecurityPolicySetEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	Enabled        *bool     `json:"enabled,omitempty"`
-	AllowedOrigins *[]string `json:"allowedOrigins,omitempty"`
+	// Enabled is a legacy field which was used before for Iframe Embedding.
+	// It is kept so older events can still be reduced.
+	Enabled               *bool     `json:"enabled,omitempty"`
+	EnableIframeEmbedding *bool     `json:"enable_iframe_embedding,omitempty"`
+	AllowedOrigins        *[]string `json:"allowedOrigins,omitempty"`
+	EnableImpersonation   *bool     `json:"enable_impersonation,omitempty"`
 }
 
 func NewSecurityPolicySetEvent(
@@ -42,9 +46,9 @@ func NewSecurityPolicySetEvent(
 
 type SecurityPolicyChanges func(event *SecurityPolicySetEvent)
 
-func ChangeSecurityPolicyEnabled(enabled bool) func(event *SecurityPolicySetEvent) {
+func ChangeSecurityPolicyEnableIframeEmbedding(enabled bool) func(event *SecurityPolicySetEvent) {
 	return func(e *SecurityPolicySetEvent) {
-		e.Enabled = &enabled
+		e.EnableIframeEmbedding = &enabled
 	}
 }
 
@@ -57,6 +61,12 @@ func ChangeSecurityPolicyAllowedOrigins(allowedOrigins []string) func(event *Sec
 	}
 }
 
+func ChangeSecurityPolicyEnableImpersonation(enabled bool) func(event *SecurityPolicySetEvent) {
+	return func(e *SecurityPolicySetEvent) {
+		e.EnableImpersonation = &enabled
+	}
+}
+
 func (e *SecurityPolicySetEvent) Payload() interface{} {
 	return e
 }