perf(query): org permission function for resources (#9677)

# Which Problems Are Solved

Classic permission checks execute for every returned row on resource
based search APIs. Complete background and problem definition can be
found here: https://github.com/zitadel/zitadel/issues/9188

# How the Problems Are Solved

- PermissionClause function now support dynamic query building, so it
supports multiple cases.
- PermissionClause is applied to all list resources which support org
level permissions.
- Wrap permission logic into wrapper functions so we keep the business
logic clean.

# Additional Changes

- Handle org ID optimization in the query package, so it is reusable for
all resources, instead of extracting the filter in the API.
- Cleanup and test system user conversion in the authz package. (context
middleware)
- Fix: `core_integration_db_up` make recipe was missing the postgres
service.

# Additional Context

- Related to https://github.com/zitadel/zitadel/issues/9190

internal/query/query.go

@@ -148,3 +148,16 @@ func triggerBatch(ctx context.Context, handlers ...*handler.Handler) {
 
 	wg.Wait()
 }
+
+func findTextEqualsQuery(column Column, queries []SearchQuery) string {
+	for _, query := range queries {
+		if query.Col() != column {
+			continue
+		}
+		tq, ok := query.(*textQuery)
+		if ok && tq.Compare == TextEquals {
+			return tq.Text
+		}
+	}
+	return ""
+}