feat: exchange gRPC server implementation to connectRPC (#10145)

# Which Problems Are Solved

The current maintained gRPC server in combination with a REST (grpc)
gateway is getting harder and harder to maintain. Additionally, there
have been and still are issues with supporting / displaying `oneOf`s
correctly.
We therefore decided to exchange the server implementation to
connectRPC, which apart from supporting connect as protocol, also also
"standard" gRCP clients as well as HTTP/1.1 / rest like clients, e.g.
curl directly call the server without any additional gateway.

# How the Problems Are Solved

- All v2 services are moved to connectRPC implementation. (v1 services
are still served as pure grpc servers)
- All gRPC server interceptors were migrated / copied to a corresponding
connectRPC interceptor.
- API.ListGrpcServices and API. ListGrpcMethods were changed to include
the connect services and endpoints.
- gRPC server reflection was changed to a `StaticReflector` using the
`ListGrpcServices` list.
- The `grpc.Server` interfaces was split into different combinations to
be able to handle the different cases (grpc server and prefixed gateway,
connect server with grpc gateway, connect server only, ...)
- Docs of services serving connectRPC only with no additional gateway
(instance, webkey, project, app, org v2 beta) are changed to expose that
- since the plugin is not yet available on buf, we download it using
`postinstall` hook of the docs

# Additional Changes

- WebKey service is added as v2 service (in addition to the current
v2beta)

# Additional Context

closes #9483

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>

internal/api/grpc/server/connect_middleware/auth_interceptor.go

@@ -0,0 +1,65 @@
+package connect_middleware
+
+import (
+	"context"
+	"errors"
+
+	"connectrpc.com/connect"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/http"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+)
+
+func AuthorizationInterceptor(verifier authz.APITokenVerifier, systemUserPermissions authz.Config, authConfig authz.Config) connect.UnaryInterceptorFunc {
+	return func(handler connect.UnaryFunc) connect.UnaryFunc {
+		return func(ctx context.Context, req connect.AnyRequest) (connect.AnyResponse, error) {
+			return authorize(ctx, req, handler, verifier, systemUserPermissions, authConfig)
+		}
+	}
+}
+
+func authorize(ctx context.Context, req connect.AnyRequest, handler connect.UnaryFunc, verifier authz.APITokenVerifier, systemUserPermissions authz.Config, authConfig authz.Config) (_ connect.AnyResponse, err error) {
+	authOpt, needsToken := verifier.CheckAuthMethod(req.Spec().Procedure)
+	if !needsToken {
+		return handler(ctx, req)
+	}
+
+	authCtx, span := tracing.NewServerInterceptorSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	authToken := req.Header().Get(http.Authorization)
+	if authToken == "" {
+		return nil, connect.NewError(connect.CodeUnauthenticated, errors.New("auth header missing"))
+	}
+
+	orgID, orgDomain := orgIDAndDomainFromRequest(req)
+	ctxSetter, err := authz.CheckUserAuthorization(authCtx, req, authToken, orgID, orgDomain, verifier, systemUserPermissions.RolePermissionMappings, authConfig.RolePermissionMappings, authOpt, req.Spec().Procedure)
+	if err != nil {
+		return nil, err
+	}
+	span.End()
+	return handler(ctxSetter(ctx), req)
+}
+
+func orgIDAndDomainFromRequest(req connect.AnyRequest) (id, domain string) {
+	orgID := req.Header().Get(http.ZitadelOrgID)
+	oz, ok := req.Any().(OrganizationFromRequest)
+	if ok {
+		id = oz.OrganizationFromRequestConnect().ID
+		domain = oz.OrganizationFromRequestConnect().Domain
+		if id != "" || domain != "" {
+			return id, domain
+		}
+	}
+	return orgID, domain
+}
+
+type Organization struct {
+	ID     string
+	Domain string
+}
+
+type OrganizationFromRequest interface {
+	OrganizationFromRequestConnect() *Organization
+}