feat: user api requests to resource API (#9794)

# Which Problems Are Solved

This pull request addresses a significant gap in the user service v2
API, which currently lacks methods for managing machine users.

# How the Problems Are Solved

This PR adds new API endpoints to the user service v2 to manage machine
users including their secret, keys and personal access tokens.
Additionally, there's now a CreateUser and UpdateUser endpoints which
allow to create either a human or machine user and update them. The
existing `CreateHumanUser` endpoint has been deprecated along the
corresponding management service endpoints. For details check the
additional context section.

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/9349

## More details
- API changes: https://github.com/zitadel/zitadel/pull/9680
- Implementation: https://github.com/zitadel/zitadel/pull/9763
- Tests: https://github.com/zitadel/zitadel/pull/9771

## Follow-ups

- Metadata: support managing user metadata using resource API
https://github.com/zitadel/zitadel/pull/10005
- Machine token type: support managing the machine token type (migrate
to new enum with zero value unspecified?)

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/query/user_personal_access_token.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"database/sql"
 	"errors"
+	"slices"
 	"time"
 
 	sq "github.com/Masterminds/squirrel"
@@ -11,12 +12,21 @@ import (
 
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
 	"github.com/zitadel/zitadel/internal/query/projection"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
+func patsCheckPermission(ctx context.Context, tokens *PersonalAccessTokens, permissionCheck domain.PermissionCheck) {
+	tokens.PersonalAccessTokens = slices.DeleteFunc(tokens.PersonalAccessTokens,
+		func(token *PersonalAccessToken) bool {
+			return userCheckPermission(ctx, token.ResourceOwner, token.UserID, permissionCheck) != nil
+		},
+	)
+}
+
 var (
 	personalAccessTokensTable = table{
 		name:          projection.PersonalAccessTokenProjectionTable,
@@ -86,7 +96,7 @@ type PersonalAccessTokenSearchQueries struct {
 	Queries []SearchQuery
 }
 
-func (q *Queries) PersonalAccessTokenByID(ctx context.Context, shouldTriggerBulk bool, id string, withOwnerRemoved bool, queries ...SearchQuery) (pat *PersonalAccessToken, err error) {
+func (q *Queries) PersonalAccessTokenByID(ctx context.Context, shouldTriggerBulk bool, id string, queries ...SearchQuery) (pat *PersonalAccessToken, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
@@ -102,11 +112,9 @@ func (q *Queries) PersonalAccessTokenByID(ctx context.Context, shouldTriggerBulk
 		query = q.toQuery(query)
 	}
 	eq := sq.Eq{
-		PersonalAccessTokenColumnID.identifier():         id,
-		PersonalAccessTokenColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
-	}
-	if !withOwnerRemoved {
-		eq[PersonalAccessTokenColumnOwnerRemoved.identifier()] = false
+		PersonalAccessTokenColumnID.identifier():           id,
+		PersonalAccessTokenColumnInstanceID.identifier():   authz.GetInstance(ctx).InstanceID(),
+		PersonalAccessTokenColumnOwnerRemoved.identifier(): false,
 	}
 	stmt, args, err := query.Where(eq).ToSql()
 	if err != nil {
@@ -123,18 +131,34 @@ func (q *Queries) PersonalAccessTokenByID(ctx context.Context, shouldTriggerBulk
 	return pat, nil
 }
 
-func (q *Queries) SearchPersonalAccessTokens(ctx context.Context, queries *PersonalAccessTokenSearchQueries, withOwnerRemoved bool) (personalAccessTokens *PersonalAccessTokens, err error) {
+// SearchPersonalAccessTokens returns personal access token resources.
+// If permissionCheck is nil, the PATs are not filtered.
+// If permissionCheck is not nil and the PermissionCheckV2 feature flag is false, the returned PATs are filtered in-memory by the given permission check.
+// If permissionCheck is not nil and the PermissionCheckV2 feature flag is true, the returned PATs are filtered in the database.
+func (q *Queries) SearchPersonalAccessTokens(ctx context.Context, queries *PersonalAccessTokenSearchQueries, permissionCheck domain.PermissionCheck) (authNKeys *PersonalAccessTokens, err error) {
+	permissionCheckV2 := PermissionV2(ctx, permissionCheck)
+	keys, err := q.searchPersonalAccessTokens(ctx, queries, permissionCheckV2)
+	if err != nil {
+		return nil, err
+	}
+	if permissionCheck != nil && !authz.GetFeatures(ctx).PermissionCheckV2 {
+		patsCheckPermission(ctx, keys, permissionCheck)
+	}
+	return keys, nil
+}
+
+func (q *Queries) searchPersonalAccessTokens(ctx context.Context, queries *PersonalAccessTokenSearchQueries, permissionCheckV2 bool) (personalAccessTokens *PersonalAccessTokens, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
 	query, scan := preparePersonalAccessTokensQuery()
+	query = queries.toQuery(query)
+	query = userPermissionCheckV2WithCustomColumns(ctx, query, permissionCheckV2, queries.Queries, PersonalAccessTokenColumnResourceOwner, PersonalAccessTokenColumnUserID)
 	eq := sq.Eq{
-		PersonalAccessTokenColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
+		PersonalAccessTokenColumnInstanceID.identifier():   authz.GetInstance(ctx).InstanceID(),
+		PersonalAccessTokenColumnOwnerRemoved.identifier(): false,
 	}
-	if !withOwnerRemoved {
-		eq[PersonalAccessTokenColumnOwnerRemoved.identifier()] = false
-	}
-	stmt, args, err := queries.toQuery(query).Where(eq).ToSql()
+	stmt, args, err := query.Where(eq).ToSql()
 	if err != nil {
 		return nil, zerrors.ThrowInvalidArgument(err, "QUERY-Hjw2w", "Errors.Query.InvalidRequest")
 	}
@@ -160,6 +184,18 @@ func NewPersonalAccessTokenUserIDSearchQuery(value string) (SearchQuery, error)
 	return NewTextQuery(PersonalAccessTokenColumnUserID, value, TextEquals)
 }
 
+func NewPersonalAccessTokenIDQuery(id string) (SearchQuery, error) {
+	return NewTextQuery(PersonalAccessTokenColumnID, id, TextEquals)
+}
+
+func NewPersonalAccessTokenCreationDateQuery(ts time.Time, compare TimestampComparison) (SearchQuery, error) {
+	return NewTimestampQuery(PersonalAccessTokenColumnCreationDate, ts, compare)
+}
+
+func NewPersonalAccessTokenExpirationDateDateQuery(ts time.Time, compare TimestampComparison) (SearchQuery, error) {
+	return NewTimestampQuery(PersonalAccessTokenColumnExpiration, ts, compare)
+}
+
 func (r *PersonalAccessTokenSearchQueries) AppendMyResourceOwnerQuery(orgID string) error {
 	query, err := NewPersonalAccessTokenResourceOwnerSearchQuery(orgID)
 	if err != nil {