feat(permissions): project member permission filter (#9757)

# Which Problems Are Solved

Add the possibility to filter project resources based on project member
roles.

# How the Problems Are Solved

Extend and refactor existing Pl/PgSQL functions to implement the
following:

- Solve O(n) complexity in returned resources IDs by returning a boolean
filter for instance level permissions.
- Individually permitted orgs are returned only if there was no instance
permission
- Individually permitted projects are returned only if there was no
instance permission
- Because of the multiple filter terms, use `INNER JOIN`s instead of
`WHERE` clauses.

# Additional Changes

- system permission function no longer query the organization view and
therefore can be `immutable`, giving big performance benefits for
frequently reused system users. (like our hosted login in Zitadel cloud)
- The permitted org and project functions are now defined as `stable`
because the don't modify on-disk data. This might give a small
performance gain
- The Pl/PgSQL functions are now tested using Go unit tests.

# Additional Context

- Depends on https://github.com/zitadel/zitadel/pull/9677
- Part of https://github.com/zitadel/zitadel/issues/9188
- Closes https://github.com/zitadel/zitadel/issues/9190

cmd/setup/53/02-permitted_orgs_function.sql

@@ -1,144 +1,71 @@
-DROP FUNCTION IF EXISTS eventstore.check_system_user_perms;
+DROP FUNCTION IF EXISTS eventstore.permitted_orgs;
+DROP FUNCTION IF EXISTS eventstore.find_roles;
 
-CREATE OR REPLACE FUNCTION eventstore.check_system_user_perms(
-     system_user_perms JSONB
+-- find_roles finds all roles containing the permission
+CREATE OR REPLACE FUNCTION eventstore.find_roles(
+    req_instance_id TEXT
     , perm TEXT
-    , filter_orgs TEXT
 
-    , org_ids OUT TEXT[]
+    , roles OUT TEXT[]
 )
-	LANGUAGE 'plpgsql'
+LANGUAGE 'plpgsql' STABLE
 AS $$
 BEGIN
-
-    WITH found_permissions(member_type, aggregate_id, object_id ) AS (
-      SELECT * FROM eventstore.get_system_permissions(
-          system_user_perms,
-          perm)
-    )
-
-    SELECT array_agg(DISTINCT o.org_id) INTO org_ids
-      FROM eventstore.instance_orgs o, found_permissions
-      WHERE
-        CASE WHEN (SELECT TRUE WHERE found_permissions.member_type = 'System' LIMIT 1) THEN
-          TRUE
-        WHEN (SELECT TRUE WHERE found_permissions.member_type = 'IAM' LIMIT 1) THEN
-          -- aggregate_id not present
-          CASE WHEN (SELECT TRUE WHERE '' = ANY (
-                              (
-                                SELECT array_agg(found_permissions.aggregate_id)
-                                  FROM found_permissions
-                                  WHERE member_type = 'IAM'
-                                  GROUP BY member_type
-                                  LIMIT 1
-                              )::TEXT[])) THEN
-            TRUE
-          -- aggregate_id is present
-          ELSE 
-            o.instance_id = ANY (
-                            (
-                              SELECT array_agg(found_permissions.aggregate_id)
-                                FROM found_permissions
-                                WHERE member_type = 'IAM'
-                                GROUP BY member_type
-                                LIMIT 1
-                            )::TEXT[])
-          END
-        WHEN (SELECT TRUE WHERE found_permissions.member_type = 'Organization' LIMIT 1) THEN
-          -- aggregate_id not present
-          CASE WHEN (SELECT TRUE WHERE '' = ANY (
-                              (
-                                SELECT array_agg(found_permissions.aggregate_id)
-                                  FROM found_permissions
-                                  WHERE member_type = 'Organization'
-                                  GROUP BY member_type
-                                  LIMIT 1
-                              )::TEXT[])) THEN
-            TRUE
-          -- aggregate_id is present
-          ELSE 
-            o.org_id = ANY (
-                        (
-                          SELECT array_agg(found_permissions.aggregate_id)
-                            FROM found_permissions
-                            WHERE member_type = 'Organization'
-                            GROUP BY member_type
-                            LIMIT 1
-                        )::TEXT[])
-          END
-        END
-        AND
-        CASE WHEN filter_orgs != ''
-        THEN o.org_id IN (filter_orgs) 
-        ELSE TRUE END
-      LIMIT 1;
+    SELECT array_agg(rp.role) INTO roles
+    FROM eventstore.role_permissions rp
+    WHERE rp.instance_id = req_instance_id
+    AND rp.permission = perm;
 END;
 $$;
 
-
-DROP FUNCTION IF EXISTS eventstore.permitted_orgs;
-
 CREATE OR REPLACE FUNCTION eventstore.permitted_orgs(
-    instanceId TEXT
-    , userId TEXT
+    req_instance_id TEXT
+    , auth_user_id TEXT
     , system_user_perms JSONB
     , perm TEXT
-    , filter_orgs TEXT
+    , filter_org TEXT
 
+    , instance_permitted OUT BOOLEAN
     , org_ids OUT TEXT[]
 )
-	LANGUAGE 'plpgsql'
+	LANGUAGE 'plpgsql' STABLE
 AS $$
 BEGIN
-
-  -- if system user
-  IF system_user_perms IS NOT NULL THEN
-    org_ids := eventstore.check_system_user_perms(system_user_perms, perm, filter_orgs);
-  -- if human/machine user
-  ELSE
+    -- if system user
+    IF system_user_perms IS NOT NULL THEN
+        SELECT p.instance_permitted, p.org_ids INTO instance_permitted, org_ids
+        FROM eventstore.check_system_user_perms(system_user_perms, req_instance_id, perm) p;
+        RETURN;
+    END IF;
+  
+    -- if human/machine user
     DECLARE
-      matched_roles TEXT[]; -- roles containing permission
-    BEGIN
-
-      SELECT array_agg(rp.role) INTO matched_roles
-      FROM eventstore.role_permissions rp
-      WHERE rp.instance_id = instanceId
-      AND rp.permission = perm;
-
-      -- First try if the permission was granted thru an instance-level role
-      DECLARE
-        has_instance_permission bool;
-      BEGIN
-        SELECT true INTO has_instance_permission
-          FROM eventstore.instance_members im
-          WHERE im.role = ANY(matched_roles)
-          AND im.instance_id = instanceId
-          AND im.user_id = userId
-          LIMIT 1;
+    	matched_roles TEXT[] := eventstore.find_roles(req_instance_id, perm);
+	BEGIN
+        -- First try if the permission was granted thru an instance-level role
+        SELECT true INTO instance_permitted
+            FROM eventstore.instance_members im
+            WHERE im.role = ANY(matched_roles)
+            AND im.instance_id = req_instance_id
+            AND im.user_id = auth_user_id
+            LIMIT 1;
         
-        IF has_instance_permission THEN
-          -- Return all organizations or only those in filter_orgs
-          SELECT array_agg(o.org_id) INTO org_ids
-            FROM eventstore.instance_orgs o
-            WHERE o.instance_id = instanceId
-            AND CASE WHEN filter_orgs != ''
-              THEN o.org_id IN (filter_orgs) 
-              ELSE TRUE END;
-          RETURN;
+        org_ids := ARRAY[]::TEXT[];
+        IF instance_permitted THEN
+            RETURN;
         END IF;
-      END;
-      
-      -- Return the organizations where permission were granted thru org-level roles
-      SELECT array_agg(sub.org_id) INTO org_ids
-      FROM (
-        SELECT DISTINCT om.org_id
-        FROM eventstore.org_members om
-        WHERE om.role = ANY(matched_roles)
-        AND om.instance_id = instanceID
-        AND om.user_id = userId
-      ) AS sub;
+        instance_permitted := FALSE;
+
+        -- Return the organizations where permission were granted thru org-level roles
+        SELECT array_agg(sub.org_id) INTO org_ids
+        FROM (
+            SELECT DISTINCT om.org_id
+            FROM eventstore.org_members om
+            WHERE om.role = ANY(matched_roles)
+            AND om.instance_id = req_instance_id
+            AND om.user_id = auth_user_id
+            AND (filter_org IS NULL OR om.org_id = filter_org)
+        ) AS sub;
     END;
-  END IF;
 END;
 $$;
-