fix(permissions): chunked synchronization of role permission events (#9403)

# Which Problems Are Solved

Setup fails to push all role permission events when running Zitadel with
CockroachDB. `TransactionRetryError`s were visible in logs which finally
times out the setup job with `timeout: context deadline exceeded`

# How the Problems Are Solved

As suggested in the [Cockroach documentation](timeout: context deadline
exceeded), _"break down larger transactions"_. The commands to be pushed
for the role permissions are chunked in 50 events per push. This
chunking is only done with CockroachDB.

# Additional Changes

- gci run fixed some unrelated imports
- access to `command.Commands` for the setup job, so we can reuse the
sync logic.

# Additional Context

Closes #9293

---------

Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>

cmd/setup/sync_role_permissions.go

@@ -2,29 +2,22 @@ package setup
 
 import (
 	"context"
-	"database/sql"
 	_ "embed"
 	"fmt"
-	"strings"
 
 	"github.com/zitadel/logging"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
-	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/repository/instance"
-	"github.com/zitadel/zitadel/internal/repository/permission"
-)
-
-var (
-	//go:embed sync_role_permissions.sql
-	getRolePermissionOperationsQuery string
 )
 
 // SyncRolePermissions is a repeatable step which synchronizes the InternalAuthZ
 // RolePermissionMappings from the configuration to the database.
 // This is needed until role permissions are manageable over the API.
 type SyncRolePermissions struct {
+	commands               *command.Commands
 	eventstore             *eventstore.Eventstore
 	rolePermissionMappings []authz.RoleMapping
 }
@@ -38,18 +31,11 @@ func (mig *SyncRolePermissions) Execute(ctx context.Context, _ eventstore.Event)
 
 func (mig *SyncRolePermissions) executeSystem(ctx context.Context) error {
 	logging.WithFields("migration", mig.String()).Info("prepare system role permission sync events")
-
-	target := rolePermissionMappingsToDatabaseMap(mig.rolePermissionMappings, true)
-	cmds, err := mig.synchronizeCommands(ctx, "SYSTEM", target)
+	details, err := mig.commands.SynchronizeRolePermission(ctx, "SYSTEM", mig.rolePermissionMappings)
 	if err != nil {
 		return err
 	}
-	events, err := mig.eventstore.Push(ctx, cmds...)
-	if err != nil {
-		return err
-	}
-
-	logging.WithFields("migration", mig.String(), "pushed_events", len(events)).Info("pushed system role permission sync events")
+	logging.WithFields("migration", mig.String(), "sequence", details.Sequence).Info("pushed system role permission sync events")
 	return nil
 }
 
@@ -70,51 +56,17 @@ func (mig *SyncRolePermissions) executeInstances(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-	target := rolePermissionMappingsToDatabaseMap(mig.rolePermissionMappings, false)
 	for i, instanceID := range instances {
 		logging.WithFields("instance_id", instanceID, "migration", mig.String(), "progress", fmt.Sprintf("%d/%d", i+1, len(instances))).Info("prepare instance role permission sync events")
-		cmds, err := mig.synchronizeCommands(ctx, instanceID, target)
+		details, err := mig.commands.SynchronizeRolePermission(ctx, instanceID, mig.rolePermissionMappings)
 		if err != nil {
 			return err
 		}
-		events, err := mig.eventstore.Push(ctx, cmds...)
-		if err != nil {
-			return err
-		}
-		logging.WithFields("instance_id", instanceID, "migration", mig.String(), "pushed_events", len(events)).Info("pushed instance role permission sync events")
+		logging.WithFields("instance_id", instanceID, "migration", mig.String(), "sequence", details.Sequence).Info("pushed instance role permission sync events")
 	}
 	return nil
 }
 
-// synchronizeCommands checks the current state of role permissions in the eventstore for the aggregate.
-// It returns the commands required to reach the desired state passed in target.
-// For system level permissions aggregateID must be set to `SYSTEM`,
-// else it is the instance ID.
-func (mig *SyncRolePermissions) synchronizeCommands(ctx context.Context, aggregateID string, target database.Map[[]string]) (cmds []eventstore.Command, err error) {
-	aggregate := permission.NewAggregate(aggregateID)
-	err = mig.eventstore.Client().QueryContext(ctx, func(rows *sql.Rows) error {
-		for rows.Next() {
-			var operation, role, perm string
-			if err := rows.Scan(&operation, &role, &perm); err != nil {
-				return err
-			}
-			logging.WithFields("aggregate_id", aggregateID, "migration", mig.String(), "operation", operation, "role", role, "permission", perm).Debug("sync role permission")
-			switch operation {
-			case "add":
-				cmds = append(cmds, permission.NewAddedEvent(ctx, aggregate, role, perm))
-			case "remove":
-				cmds = append(cmds, permission.NewRemovedEvent(ctx, aggregate, role, perm))
-			}
-		}
-		return rows.Close()
-
-	}, getRolePermissionOperationsQuery, aggregateID, target)
-	if err != nil {
-		return nil, err
-	}
-	return cmds, err
-}
-
 func (*SyncRolePermissions) String() string {
 	return "repeatable_sync_role_permissions"
 }
@@ -122,13 +74,3 @@ func (*SyncRolePermissions) String() string {
 func (*SyncRolePermissions) Check(lastRun map[string]interface{}) bool {
 	return true
 }
-
-func rolePermissionMappingsToDatabaseMap(mappings []authz.RoleMapping, system bool) database.Map[[]string] {
-	out := make(database.Map[[]string], len(mappings))
-	for _, m := range mappings {
-		if system == strings.HasPrefix(m.Role, "SYSTEM") {
-			out[m.Role] = m.Permissions
-		}
-	}
-	return out
-}