feat: option to disallow public org registration (#6917)

* feat: return 404 or 409 if org reg disallowed

* fix: system limit permissions

* feat: add iam limits api

* feat: disallow public org registrations on default instance

* add integration test

* test: integration

* fix test

* docs: describe public org registrations

* avoid updating docs deps

* fix system limits integration test

* silence integration tests

* fix linting

* ignore strange linter complaints

* review

* improve reset properties naming

* redefine the api

* use restrictions aggregate

* test query

* simplify and test projection

* test commands

* fix unit tests

* move integration test

* support restrictions on default instance

* also test GetRestrictions

* self review

* lint

* abstract away resource owner

* fix tests

* lint

internal/query/restrictions.go

@@ -0,0 +1,108 @@
+package query
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"time"
+
+	sq "github.com/Masterminds/squirrel"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/call"
+	zitade_errors "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/query/projection"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+)
+
+var (
+	restrictionsTable = table{
+		name:          projection.RestrictionsProjectionTable,
+		instanceIDCol: projection.RestrictionsColumnInstanceID,
+	}
+	RestrictionsColumnAggregateID = Column{
+		name:  projection.RestrictionsColumnAggregateID,
+		table: restrictionsTable,
+	}
+	RestrictionsColumnCreationDate = Column{
+		name:  projection.RestrictionsColumnCreationDate,
+		table: restrictionsTable,
+	}
+	RestrictionsColumnChangeDate = Column{
+		name:  projection.RestrictionsColumnChangeDate,
+		table: restrictionsTable,
+	}
+	RestrictionsColumnResourceOwner = Column{
+		name:  projection.RestrictionsColumnResourceOwner,
+		table: restrictionsTable,
+	}
+	RestrictionsColumnInstanceID = Column{
+		name:  projection.RestrictionsColumnInstanceID,
+		table: restrictionsTable,
+	}
+	RestrictionsColumnSequence = Column{
+		name:  projection.RestrictionsColumnSequence,
+		table: restrictionsTable,
+	}
+	RestrictionsColumnDisallowPublicOrgRegistrations = Column{
+		name:  projection.RestrictionsColumnDisallowPublicOrgRegistration,
+		table: restrictionsTable,
+	}
+)
+
+type Restrictions struct {
+	AggregateID   string
+	CreationDate  time.Time
+	ChangeDate    time.Time
+	ResourceOwner string
+	Sequence      uint64
+
+	DisallowPublicOrgRegistration bool
+}
+
+func (q *Queries) GetInstanceRestrictions(ctx context.Context) (restrictions Restrictions, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	stmt, scan := prepareRestrictionsQuery(ctx, q.client)
+	instanceID := authz.GetInstance(ctx).InstanceID()
+	query, args, err := stmt.Where(sq.Eq{
+		RestrictionsColumnInstanceID.identifier():    instanceID,
+		RestrictionsColumnResourceOwner.identifier(): instanceID,
+	}).ToSql()
+	if err != nil {
+		return restrictions, zitade_errors.ThrowInternal(err, "QUERY-XnLMQ", "Errors.Query.SQLStatment")
+	}
+	err = q.client.QueryRowContext(ctx, func(row *sql.Row) error {
+		restrictions, err = scan(row)
+		return err
+	}, query, args...)
+	if errors.Is(err, sql.ErrNoRows) {
+		// not found is not an error
+		err = nil
+	}
+	return restrictions, err
+}
+
+func prepareRestrictionsQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (Restrictions, error)) {
+	return sq.Select(
+			RestrictionsColumnAggregateID.identifier(),
+			RestrictionsColumnCreationDate.identifier(),
+			RestrictionsColumnChangeDate.identifier(),
+			RestrictionsColumnResourceOwner.identifier(),
+			RestrictionsColumnSequence.identifier(),
+			RestrictionsColumnDisallowPublicOrgRegistrations.identifier(),
+		).
+			From(restrictionsTable.identifier() + db.Timetravel(call.Took(ctx))).
+			PlaceholderFormat(sq.Dollar),
+		func(row *sql.Row) (restrictions Restrictions, err error) {
+			return restrictions, row.Scan(
+				&restrictions.AggregateID,
+				&restrictions.CreationDate,
+				&restrictions.ChangeDate,
+				&restrictions.ResourceOwner,
+				&restrictions.Sequence,
+				&restrictions.DisallowPublicOrgRegistration,
+			)
+		}
+}