perf(actionsv2): execution target router (#10564)

# Which Problems Are Solved

The event execution system currently uses a projection handler that
subscribes to and processes all events for all instances. This creates a
high static cost because the system over-fetches event data, handling
many events that are not needed by most instances. This inefficiency is
also reflected in high "rows returned" metrics in the database.

# How the Problems Are Solved

Eliminate the use of a project handler. Instead, events for which
"execution targets" are defined, are directly pushed to the queue by the
eventstore. A Router is populated in the Instance object in the authz
middleware.

- By joining the execution targets to the instance, no additional
queries are needed anymore.
- As part of the instance object, execution targets are now cached as
well.
- Events are queued within the same transaction, giving transactional
guarantees on delivery.
- Uses the "insert many fast` variant of River. Multiple jobs are queued
in a single round-trip to the database.
- Fix compatibility with PostgreSQL 15

# Additional Changes

- The signing key was stored as plain-text in the river job payload in
the DB. This violated our [Secrets
Storage](https://zitadel.com/docs/concepts/architecture/secrets#secrets-storage)
principle. This change removed the field and only uses the encrypted
version of the signing key.
- Fixed the target ordering from descending to ascending.
- Some minor linter warnings on the use of `io.WriteString()`.

# Additional Context

- Introduced in https://github.com/zitadel/zitadel/pull/9249
- Closes https://github.com/zitadel/zitadel/issues/10553
- Closes https://github.com/zitadel/zitadel/issues/9832
- Closes https://github.com/zitadel/zitadel/issues/10372
- Closes https://github.com/zitadel/zitadel/issues/10492

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit a9ebc06c77)

internal/api/saml/provider.go

@@ -42,6 +42,7 @@ func NewProvider(
 	repo repository.Repository,
 	encAlg crypto.EncryptionAlgorithm,
 	certEncAlg crypto.EncryptionAlgorithm,
+	targetEncAlg crypto.EncryptionAlgorithm,
 	es *eventstore.Eventstore,
 	projections *database.DB,
 	instanceHandler,
@@ -56,6 +57,7 @@ func NewProvider(
 		repo,
 		encAlg,
 		certEncAlg,
+		targetEncAlg,
 		es,
 		projections,
 		fmt.Sprintf("%s%s?%s=", login.HandlerPrefix, login.EndpointLogin, login.QueryAuthRequestID),
@@ -114,6 +116,7 @@ func newStorage(
 	repo repository.Repository,
 	encAlg crypto.EncryptionAlgorithm,
 	certEncAlg crypto.EncryptionAlgorithm,
+	targetEncAlg crypto.EncryptionAlgorithm,
 	es *eventstore.Eventstore,
 	db *database.DB,
 	defaultLoginURL string,
@@ -123,6 +126,7 @@ func newStorage(
 	return &Storage{
 		encAlg:            encAlg,
 		certEncAlg:        certEncAlg,
+		targetEncAlg:      targetEncAlg,
 		locker:            crdb.NewLocker(db.DB, locksTable, signingKey),
 		eventstore:        es,
 		repo:              repo,

internal/api/saml/storage.go

@@ -56,6 +56,7 @@ type Storage struct {
 	certificateAlgorithm string
 	encAlg               crypto.EncryptionAlgorithm
 	certEncAlg           crypto.EncryptionAlgorithm
+	targetEncAlg         crypto.EncryptionAlgorithm
 
 	eventstore *eventstore.Eventstore
 	repo       repository.Repository
@@ -390,10 +391,7 @@ func (p *Storage) getCustomAttributes(ctx context.Context, user *query.User, use
 	}
 
 	function := exec_repo.ID(domain.ExecutionTypeFunction, domain.ActionFunctionPreSAMLResponse.LocalizationKey())
-	executionTargets, err := execution.QueryExecutionTargetsForFunction(ctx, p.query, function)
-	if err != nil {
-		return nil, err
-	}
+	executionTargets := execution.QueryExecutionTargetsForFunction(ctx, function)
 
 	// correct time for utc
 	user.CreationDate = user.CreationDate.UTC()
@@ -405,7 +403,7 @@ func (p *Storage) getCustomAttributes(ctx context.Context, user *query.User, use
 		UserGrants: userGrants.UserGrants,
 	}
 
-	resp, err := execution.CallTargets(ctx, executionTargets, info)
+	resp, err := execution.CallTargets(ctx, executionTargets, info, p.targetEncAlg)
 	if err != nil {
 		return nil, err
 	}