feat: api v2beta to api v2 (#8283)

# Which Problems Are Solved

The v2beta services are stable but not GA.

# How the Problems Are Solved

The v2beta services are copied to v2. The corresponding v1 and v2beta
services are deprecated.

# Additional Context

Closes #7236

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>

internal/command/org_idp_config_test.go

@@ -398,7 +398,8 @@ func newIDPConfigChangedEvent(ctx context.Context, orgID, configID, oldName, new
 
 func TestCommands_RemoveIDPConfig(t *testing.T) {
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore      *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
 	}
 	type args struct {
 		ctx                   context.Context
@@ -423,6 +424,7 @@ func TestCommands_RemoveIDPConfig(t *testing.T) {
 				eventstore: eventstoreExpect(t,
 					expectFilter(),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args{
 				context.Background(),
@@ -460,6 +462,7 @@ func TestCommands_RemoveIDPConfig(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args{
 				context.Background(),
@@ -532,6 +535,84 @@ func TestCommands_RemoveIDPConfig(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				context.Background(),
+				"idp1",
+				"org1",
+				true,
+				[]*domain.UserIDPLink{
+					{
+						ObjectRoot: models.ObjectRoot{
+							AggregateID: "user1",
+						},
+						IDPConfigID:    "idp1",
+						ExternalUserID: "id1",
+						DisplayName:    "name",
+					},
+				},
+			},
+			res{
+				&domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+				nil,
+			},
+		},
+		{
+			"cascade, permission error",
+			fields{
+				eventstore: eventstoreExpect(t,
+					expectFilter(
+						eventFromEventPusher(
+							org.NewIDPConfigAddedEvent(context.Background(),
+								&org.NewAggregate("org1").Aggregate,
+								"idp1",
+								"name1",
+								domain.IDPConfigTypeOIDC,
+								domain.IDPConfigStylingTypeGoogle,
+								false,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"username",
+								"firstname",
+								"lastname",
+								"nickname",
+								"displayName",
+								language.German,
+								domain.GenderUnspecified,
+								"email@test.com",
+								true,
+							),
+						),
+						eventFromEventPusher(
+							user.NewUserIDPLinkAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"idp1",
+								"name",
+								"id1",
+							),
+						),
+					),
+					expectPush(
+						org.NewIDPConfigRemovedEvent(context.Background(),
+							&org.NewAggregate("org1").Aggregate,
+							"idp1",
+							"name1",
+						),
+						org.NewIdentityProviderCascadeRemovedEvent(context.Background(),
+							&org.NewAggregate("org1").Aggregate,
+							"idp1",
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
 			},
 			args{
 				context.Background(),
@@ -560,7 +641,8 @@ func TestCommands_RemoveIDPConfig(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore:      tt.fields.eventstore,
+				checkPermission: tt.fields.checkPermission,
 			}
 			got, err := c.RemoveIDPConfig(tt.args.ctx, tt.args.idpID, tt.args.orgID, tt.args.cascadeRemoveProvider, tt.args.cascadeExternalIDPs...)
 			if tt.res.err == nil {

internal/command/user_human_webauthn.go

@@ -603,6 +603,11 @@ func (c *Commands) removeHumanWebAuthN(ctx context.Context, userID, webAuthNID,
 	if existingWebAuthN.State == domain.MFAStateUnspecified || existingWebAuthN.State == domain.MFAStateRemoved {
 		return nil, zerrors.ThrowNotFound(nil, "COMMAND-DAfb2", "Errors.User.WebAuthN.NotFound")
 	}
+	if userID != authz.GetCtxData(ctx).UserID {
+		if err := c.checkPermission(ctx, domain.PermissionUserWrite, existingWebAuthN.ResourceOwner, existingWebAuthN.AggregateID); err != nil {
+			return nil, err
+		}
+	}
 
 	userAgg := UserAggregateFromWriteModel(&existingWebAuthN.WriteModel)
 	pushedEvents, err := c.eventstore.Push(ctx, preparedEvent(userAgg))

internal/command/user_idp_link.go

@@ -126,6 +126,11 @@ func (c *Commands) removeUserIDPLink(ctx context.Context, link *domain.UserIDPLi
 	if existingLink.State == domain.UserIDPLinkStateUnspecified || existingLink.State == domain.UserIDPLinkStateRemoved {
 		return nil, nil, zerrors.ThrowNotFound(nil, "COMMAND-1M9xR", "Errors.User.ExternalIDP.NotFound")
 	}
+	if existingLink.AggregateID != authz.GetCtxData(ctx).UserID {
+		if err := c.checkPermission(ctx, domain.PermissionUserWrite, existingLink.ResourceOwner, existingLink.AggregateID); err != nil {
+			return nil, nil, err
+		}
+	}
 	userAgg := UserAggregateFromWriteModel(&existingLink.WriteModel)
 	if cascade {
 		return user.NewUserIDPLinkCascadeRemovedEvent(ctx, userAgg, link.IDPConfigID, link.ExternalUserID), existingLink, nil

internal/command/user_idp_link_test.go

@@ -519,7 +519,8 @@ func TestCommandSide_BulkAddUserIDPLinks(t *testing.T) {
 
 func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore      *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
 	}
 	type args struct {
 		ctx  context.Context
@@ -541,6 +542,7 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 				eventstore: eventstoreExpect(
 					t,
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx: context.Background(),
@@ -562,6 +564,7 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 				eventstore: eventstoreExpect(
 					t,
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx: context.Background(),
@@ -598,6 +601,7 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx: context.Background(),
@@ -620,6 +624,7 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 					t,
 					expectFilter(),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx: context.Background(),
@@ -635,6 +640,38 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 				err: zerrors.IsNotFound,
 			},
 		},
+		{
+			name: "remove external idp, permission error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							user.NewUserIDPLinkAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"config1",
+								"name",
+								"externaluser1",
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args: args{
+				ctx: context.Background(),
+				link: &domain.UserIDPLink{
+					ObjectRoot: models.ObjectRoot{
+						AggregateID: "user1",
+					},
+					IDPConfigID:    "config1",
+					ExternalUserID: "externaluser1",
+				},
+			},
+			res: res{
+				err: zerrors.IsPermissionDenied,
+			},
+		},
 		{
 			name: "remove external idp, ok",
 			fields: fields{
@@ -658,6 +695,7 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx: context.Background(),
@@ -679,7 +717,8 @@ func TestCommandSide_RemoveUserIDPLink(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore:      tt.fields.eventstore,
+				checkPermission: tt.fields.checkPermission,
 			}
 			got, err := r.RemoveUserIDPLink(tt.args.ctx, tt.args.link)
 			if tt.res.err == nil {