feat(permissions): system user support for permission check v2

[kkrime]

Which Problems Are Solved

For permissoin check v2, we currently check the human users permissions from the DB, however for system users (from the config, which would not be in the DB), their permissions are not in the DB, but are in a config file like defaults.yaml.

• The current check involves all users (human, machine) in the DB and excludes only system users
• It's redundant to mention twice that system users are not in the DB.

How the Problems Are Solved

• Can you please expand a bit on your implementation? For example:
  • what is the precedence of the permissions being applied.
  • which role-permission configuration is used for the system users (should be runtime, but currently is DB, see my other comment)
  • Mention details such as "roles are loaded once per request and cached", which you did in a separate comment.

The way the permissions work are based on the following:
https://zitadel.slack.com/archives/C087ADF8LRX/p1742207808062949?thread_ts=1742206770.965909&cid=C087ADF8LRX

Additional Changes

Important to note from this point onwards, System Users permissions will be picked up from SystemAuthz (added to default.yaml) NOT InternalAuthz

• Closes Handle system users for database permissions #9189

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
docs	🛑 Canceled (Inspect)			Mar 25, 2025 6:00pm

[github-actions]

Thanks for your contribution @kkrime! 🎉

Please make sure you tick the following checkboxes before marking this Pull Request (PR) as ready for review:

• I am happy with the code
• Documentations and examples are up-to-date
• Logical behavior changes are tested automatically
• No debug or dead code
• My code has no repetitions
• The PR title adheres to the conventional commit format
• The example texts in the PR description are replaced.
• If there are any open TODOs or follow-ups, they are described in issues and link to this PR
• If there are deviations from a user stories acceptance criteria or design, they are agreed upon with the PO and documented.

[codecov]

Codecov Report

Attention: Patch coverage is 74.13793% with 30 lines in your changes missing coverage. Please review.

Project coverage is 63.36%. Comparing base (febf410) to head (a9fcb3e).
Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/setup/52.go	53.84%	4 Missing and 2 partials ⚠️
internal/integration/system.go	53.84%	4 Missing and 2 partials ⚠️
internal/api/authz/authorization.go	87.50%	3 Missing and 1 partial ⚠️
internal/query/user.go	20.00%	3 Missing and 1 partial ⚠️
internal/query/permission.go	72.72%	2 Missing and 1 partial ⚠️
cmd/mirror/projections.go	0.00%	2 Missing ⚠️
cmd/setup/setup.go	50.00%	2 Missing ⚠️
cmd/start/start.go	85.71%	1 Missing ⚠️
internal/api/http/middleware/auth_interceptor.go	87.50%	1 Missing ⚠️
internal/id/sonyflake.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #9460       +/-   ##
===========================================
+ Coverage   39.00%   63.36%   +24.35%     
===========================================
  Files        1547     1627       +80     
  Lines      148805   152867     +4062     
===========================================
+ Hits        58044    96859    +38815     
+ Misses      86219    51144    -35075     
- Partials     4542     4864      +322     

Flag	Coverage Δ
core-integration-tests-postgres	39.03% <76.23%> (+0.02%)	⬆️
core-unit-tests	46.25% <40.47%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[kkrime]

@livio-a I need to make this change otherwise it starts complaining about a unsupported feture in my sql scripts in the e2e browser pipeline

[livio-a]

if it doesn't work with cockroach, we need to make sure it's only released as part of v3 (target branch for that is v3.x)

[muhlemmer]

Replaced by #9640