feat: project v2beta resource API (#9742)

# Which Problems Are Solved

Resource management of projects and sub-resources was before limited by
the context provided by the management API, which would mean you could
only manage resources belonging to a specific organization.

# How the Problems Are Solved

With the addition of a resource-based API, it is now possible to manage
projects and sub-resources on the basis of the resources themselves,
which means that as long as you have the permission for the resource,
you can create, read, update and delete it.

- CreateProject to create a project under an organization
- UpdateProject to update an existing project
- DeleteProject to delete an existing project
- DeactivateProject and ActivateProject to change the status of a
project
- GetProject to query for a specific project with an identifier
- ListProject to query for projects and granted projects
- CreateProjectGrant to create a project grant with project and granted
organization
- UpdateProjectGrant to update the roles of a project grant
- DeactivateProjectGrant and ActivateProjectGrant to change the status
of a project grant
- DeleteProjectGrant to delete an existing project grant
- ListProjectGrants to query for project grants
- AddProjectRole to add a role to an existing project
- UpdateProjectRole to change texts of an existing role
- RemoveProjectRole to remove an existing role
- ListProjectRoles to query for project roles

# Additional Changes

- Changes to ListProjects, which now contains granted projects as well
- Changes to messages as defined in the
[API_DESIGN](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md)
- Permission checks for project functionality on query and command side
- Added testing to unit tests on command side
- Change update endpoints to no error returns if nothing changes in the
resource
- Changed all integration test utility to the new service
- ListProjects now also correctly lists `granted projects`
- Permission checks for project grant and project role functionality on
query and command side
- Change existing pre checks so that they also work resource specific
without resourceowner
- Added the resourceowner to the grant and role if no resourceowner is
provided
- Corrected import tests with project grants and roles
- Added testing to unit tests on command side
- Change update endpoints to no error returns if nothing changes in the
resource
- Changed all integration test utility to the new service
- Corrected some naming in the proto files to adhere to the API_DESIGN

# Additional Context

Closes #9177

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/command/project_role.go

@@ -7,22 +7,45 @@ import (
 
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
 	"github.com/zitadel/zitadel/internal/repository/project"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
-func (c *Commands) AddProjectRole(ctx context.Context, projectRole *domain.ProjectRole, resourceOwner string) (_ *domain.ProjectRole, err error) {
+type AddProjectRole struct {
+	models.ObjectRoot
+
+	Key         string
+	DisplayName string
+	Group       string
+}
+
+func (p *AddProjectRole) IsValid() bool {
+	return p.AggregateID != "" && p.Key != ""
+}
+
+func (c *Commands) AddProjectRole(ctx context.Context, projectRole *AddProjectRole) (_ *domain.ObjectDetails, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
-	err = c.checkProjectExists(ctx, projectRole.AggregateID, resourceOwner)
+	projectResourceOwner, err := c.checkProjectExists(ctx, projectRole.AggregateID, projectRole.ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
+	if projectRole.ResourceOwner == "" {
+		projectRole.ResourceOwner = projectResourceOwner
+	}
+	if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.Key); err != nil {
+		return nil, err
+	}
 
-	roleWriteModel := NewProjectRoleWriteModelWithKey(projectRole.Key, projectRole.AggregateID, resourceOwner)
-	projectAgg := ProjectAggregateFromWriteModel(&roleWriteModel.WriteModel)
+	roleWriteModel := NewProjectRoleWriteModelWithKey(projectRole.Key, projectRole.AggregateID, projectRole.ResourceOwner)
+	if roleWriteModel.ResourceOwner != projectResourceOwner {
+		return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-RLB4UpqQSd", "Errors.Project.Role.Invalid")
+	}
+
+	projectAgg := ProjectAggregateFromWriteModelWithCTX(ctx, &roleWriteModel.WriteModel)
 	events, err := c.addProjectRoles(ctx, projectAgg, projectRole)
 	if err != nil {
 		return nil, err
@@ -35,37 +58,45 @@ func (c *Commands) AddProjectRole(ctx context.Context, projectRole *domain.Proje
 	if err != nil {
 		return nil, err
 	}
-	return roleWriteModelToRole(roleWriteModel), nil
+	return writeModelToObjectDetails(&roleWriteModel.WriteModel), nil
 }
 
-func (c *Commands) BulkAddProjectRole(ctx context.Context, projectID, resourceOwner string, projectRoles []*domain.ProjectRole) (details *domain.ObjectDetails, err error) {
-	err = c.checkProjectExists(ctx, projectID, resourceOwner)
+func (c *Commands) checkPermissionWriteProjectRole(ctx context.Context, resourceOwner, roleKey string) error {
+	return c.checkPermission(ctx, domain.PermissionProjectRoleWrite, resourceOwner, roleKey)
+}
+
+func (c *Commands) BulkAddProjectRole(ctx context.Context, projectID, resourceOwner string, projectRoles []*AddProjectRole) (details *domain.ObjectDetails, err error) {
+	projectResourceOwner, err := c.checkProjectExists(ctx, projectID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
+	for _, projectRole := range projectRoles {
+		if projectRole.ResourceOwner == "" {
+			projectRole.ResourceOwner = projectResourceOwner
+		}
+		if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.Key); err != nil {
+			return nil, err
+		}
+		if projectRole.ResourceOwner != projectResourceOwner {
+			return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-9ZXtdaJKJJ", "Errors.Project.Role.Invalid")
+		}
+	}
 
 	roleWriteModel := NewProjectRoleWriteModel(projectID, resourceOwner)
-	projectAgg := ProjectAggregateFromWriteModel(&roleWriteModel.WriteModel)
+	projectAgg := ProjectAggregateFromWriteModelWithCTX(ctx, &roleWriteModel.WriteModel)
 	events, err := c.addProjectRoles(ctx, projectAgg, projectRoles...)
 	if err != nil {
 		return details, err
 	}
-
-	pushedEvents, err := c.eventstore.Push(ctx, events...)
-	if err != nil {
-		return nil, err
-	}
-	err = AppendAndReduce(roleWriteModel, pushedEvents...)
-	if err != nil {
-		return nil, err
-	}
-	return writeModelToObjectDetails(&roleWriteModel.WriteModel), nil
+	return c.pushAppendAndReduceDetails(ctx, roleWriteModel, events...)
 }
 
-func (c *Commands) addProjectRoles(ctx context.Context, projectAgg *eventstore.Aggregate, projectRoles ...*domain.ProjectRole) ([]eventstore.Command, error) {
+func (c *Commands) addProjectRoles(ctx context.Context, projectAgg *eventstore.Aggregate, projectRoles ...*AddProjectRole) ([]eventstore.Command, error) {
 	var events []eventstore.Command
 	for _, projectRole := range projectRoles {
-		projectRole.AggregateID = projectAgg.ID
+		if projectRole.ResourceOwner != projectAgg.ResourceOwner {
+			return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-4Q2WjlbHvc", "Errors.Project.Role.Invalid")
+		}
 		if !projectRole.IsValid() {
 			return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-4m9vS", "Errors.Project.Role.Invalid")
 		}
@@ -81,42 +112,55 @@ func (c *Commands) addProjectRoles(ctx context.Context, projectAgg *eventstore.A
 	return events, nil
 }
 
-func (c *Commands) ChangeProjectRole(ctx context.Context, projectRole *domain.ProjectRole, resourceOwner string) (_ *domain.ProjectRole, err error) {
+type ChangeProjectRole struct {
+	models.ObjectRoot
+
+	Key         string
+	DisplayName string
+	Group       string
+}
+
+func (p *ChangeProjectRole) IsValid() bool {
+	return p.AggregateID != "" && p.Key != ""
+}
+
+func (c *Commands) ChangeProjectRole(ctx context.Context, projectRole *ChangeProjectRole) (_ *domain.ObjectDetails, err error) {
 	if !projectRole.IsValid() {
 		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-2ilfW", "Errors.Project.Invalid")
 	}
-	err = c.checkProjectExists(ctx, projectRole.AggregateID, resourceOwner)
+	projectResourceOwner, err := c.checkProjectExists(ctx, projectRole.AggregateID, projectRole.ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
+	if projectRole.ResourceOwner == "" {
+		projectRole.ResourceOwner = projectResourceOwner
+	}
+	if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.Key); err != nil {
+		return nil, err
+	}
 
-	existingRole, err := c.getProjectRoleWriteModelByID(ctx, projectRole.Key, projectRole.AggregateID, resourceOwner)
+	existingRole, err := c.getProjectRoleWriteModelByID(ctx, projectRole.Key, projectRole.AggregateID, projectRole.ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
-	if existingRole.State == domain.ProjectRoleStateUnspecified || existingRole.State == domain.ProjectRoleStateRemoved {
+	if !existingRole.State.Exists() {
 		return nil, zerrors.ThrowNotFound(nil, "COMMAND-vv8M9", "Errors.Project.Role.NotExisting")
 	}
+	if existingRole.ResourceOwner != projectResourceOwner {
+		return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-3MizLWveMf", "Errors.Project.Role.Invalid")
+	}
 
-	projectAgg := ProjectAggregateFromWriteModel(&existingRole.WriteModel)
+	projectAgg := ProjectAggregateFromWriteModelWithCTX(ctx, &existingRole.WriteModel)
 
 	changeEvent, changed, err := existingRole.NewProjectRoleChangedEvent(ctx, projectAgg, projectRole.Key, projectRole.DisplayName, projectRole.Group)
 	if err != nil {
 		return nil, err
 	}
 	if !changed {
-		return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-5M0cs", "Errors.NoChangesFound")
+		return writeModelToObjectDetails(&existingRole.WriteModel), nil
 	}
 
-	pushedEvents, err := c.eventstore.Push(ctx, changeEvent)
-	if err != nil {
-		return nil, err
-	}
-	err = AppendAndReduce(existingRole, pushedEvents...)
-	if err != nil {
-		return nil, err
-	}
-	return roleWriteModelToRole(existingRole), nil
+	return c.pushAppendAndReduceDetails(ctx, existingRole, changeEvent)
 }
 
 func (c *Commands) RemoveProjectRole(ctx context.Context, projectID, key, resourceOwner string, cascadingProjectGrantIds []string, cascadeUserGrantIDs ...string) (details *domain.ObjectDetails, err error) {
@@ -127,10 +171,14 @@ func (c *Commands) RemoveProjectRole(ctx context.Context, projectID, key, resour
 	if err != nil {
 		return details, err
 	}
-	if existingRole.State == domain.ProjectRoleStateUnspecified || existingRole.State == domain.ProjectRoleStateRemoved {
-		return details, zerrors.ThrowNotFound(nil, "COMMAND-m9vMf", "Errors.Project.Role.NotExisting")
+	// return if project role is not existing
+	if !existingRole.State.Exists() {
+		return writeModelToObjectDetails(&existingRole.WriteModel), nil
 	}
-	projectAgg := ProjectAggregateFromWriteModel(&existingRole.WriteModel)
+	if err := c.checkPermissionDeleteProjectRole(ctx, existingRole.ResourceOwner, existingRole.Key); err != nil {
+		return nil, err
+	}
+	projectAgg := ProjectAggregateFromWriteModelWithCTX(ctx, &existingRole.WriteModel)
 	events := []eventstore.Command{
 		project.NewRoleRemovedEvent(ctx, projectAgg, key),
 	}
@@ -153,15 +201,11 @@ func (c *Commands) RemoveProjectRole(ctx context.Context, projectID, key, resour
 		events = append(events, event)
 	}
 
-	pushedEvents, err := c.eventstore.Push(ctx, events...)
-	if err != nil {
-		return nil, err
-	}
-	err = AppendAndReduce(existingRole, pushedEvents...)
-	if err != nil {
-		return nil, err
-	}
-	return writeModelToObjectDetails(&existingRole.WriteModel), nil
+	return c.pushAppendAndReduceDetails(ctx, existingRole, events...)
+}
+
+func (c *Commands) checkPermissionDeleteProjectRole(ctx context.Context, resourceOwner, roleKey string) error {
+	return c.checkPermission(ctx, domain.PermissionProjectRoleDelete, resourceOwner, roleKey)
 }
 
 func (c *Commands) getProjectRoleWriteModelByID(ctx context.Context, key, projectID, resourceOwner string) (*ProjectRoleWriteModel, error) {