AccessControl: Implement teams resource service (#43951)

* AccessControl: cover team permissions

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Add background service as a consumer to resource_services

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Define actions in roles.go

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Remove action from accesscontrol model

 Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* As suggested by kalle

* move some changes from branch to the skeleton PR

* Add background service as a consumer to resource_services

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* moving resourceservice to the main wire file pt2

* move team related actions so that they can be reused

* PR feedback

* fix

* typo

* Access Control: adding hooks for team member endpoints (#43991)

* AccessControl: cover team permissions

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Add background service as a consumer to resource_services

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Define actions in roles.go

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Remove action from accesscontrol model

 Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* As suggested by kalle

* add access control to list and add team member endpoint, and hooks for adding team members

* member permission type is 0

* add ID scope for team permission checks

* add more team actions, use Member for member permission name

* protect team member update endpoint with FGAC permissions

* update SQL functions for teams and the corresponding tests

* also protect team member removal endpoint with FGAC permissions and add a hook to permission service

* a few small fixes, provide team permission service to test setup

* AccessControl: cover team permissions

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Add background service as a consumer to resource_services

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Define actions in roles.go

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Remove action from accesscontrol model

 Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* As suggested by kalle

* move some changes from branch to the skeleton PR

* remove resource services from wireexts

* remove unneeded actions

* linting fix

* remove comments

* feedback fixes

* feedback

* simplifying

* remove team member within the same transaction

* fix a mistake with the error

* call the correct sql fction

* linting

* Access control: tests for team member endpoints (#44177)

* tests for team member endpoints

* clean up and fix the tests

* fixing tests take 2

* don't import enterprise test license

* don't import enterprise test license

* remove unused variable

Co-authored-by: gamab <gabi.mabs@gmail.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

pkg/api/team_test.go

@@ -1,6 +1,7 @@
 package api
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -10,6 +11,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
+	"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
 	"github.com/grafana/grafana/pkg/services/sqlstore"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/web"
@@ -79,11 +81,11 @@ func TestTeamAPIEndpoint(t *testing.T) {
 		teamName := "team foo"
 
 		// TODO: Use a fake SQLStore when it's represented by an interface
-		origCreateTeam := createTeam
-		origAddTeamMember := addTeamMember
+		orgCreateTeam := createTeam
+		orgAddTeamMember := addOrUpdateTeamMember
 		t.Cleanup(func() {
-			createTeam = origCreateTeam
-			addTeamMember = origAddTeamMember
+			createTeam = orgCreateTeam
+			addOrUpdateTeamMember = orgAddTeamMember
 		})
 
 		createTeamCalled := 0
@@ -93,8 +95,8 @@ func TestTeamAPIEndpoint(t *testing.T) {
 		}
 
 		addTeamMemberCalled := 0
-		addTeamMember = func(sqlStore *sqlstore.SQLStore, userID, orgID, teamID int64, isExternal bool,
-			permission models.PermissionType) error {
+		addOrUpdateTeamMember = func(ctx context.Context, resourcePermissionService *resourcepermissions.Service, userID, orgID, teamID int64,
+			permission string) error {
 			addTeamMemberCalled++
 			return nil
 		}
@@ -179,7 +181,7 @@ func TestTeamAPIEndpoint_CreateTeam_FGAC(t *testing.T) {
 	setInitCtxSignedInViewer(sc.initCtx)
 	input := strings.NewReader(fmt.Sprintf(createTeamCmd, 1))
 	t.Run("Access control allows creating teams with the correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionTeamsCreate}}, 1)
+		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsCreate}}, 1)
 		response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})