Check space/org permissions by id, not guid

[will-gant]

Thanks for contributing to cloud_controller_ng. To speed up the process of reviewing your pull request please provide us with:

A short explanation of the proposed change:

Optimizes the way controllers check user permissions by cutting out lots and lots of duplicate DB queries for spaces and orgs.

An explanation of the use cases your change solves:

Until now we've been doing something like this for a large chunk of API calls:

# app/controllers/v3/foo_controller.rb
def create
  foo = Foo.find(guid: hashed_params[:guid])
  org = foo.organization
  foo_not_found! unless @foo && permission_queryer.can_read_whatever?(org.guid)
  ...
end

# lib/cloud_controller/permissions.rb
def can_read_whatever?(org_guid)
  can_read_globally? || membership.has_any_roles?(ROLES_FOR_WHATEVER, nil, org_guid)
end

# lib/cloud_controller/membership.rb
def has_any_roles?(roles, space_guid=nil, org_guid=nil)
  org_id = Organization.where(guid: org_guid).select(:id)
  ...
end

Basically a controller action does a DB query to look up an org or a space purely so it can pass the guid of whichever it is through (ultimately) to VCAP::CloudController::Membership. The latter then uses the guid to do another DB query to look up the same row to get that thing's id. Silly.

The changes in summary:

• Where we want to check a user's permissions in relation to a specific org or space, the controller now passes the org/space's id instead of its guid
• Since we no longer need org guids for most permissions checks, if we've already looked up a space we can skip looking up its org in the controller entirely - rows in the spaces table have an organization_id column.
• Fetchers. Some of these (e.g. AppFetcher) have fetch methods whose return values previously included an org. For some fetchers the org was only ever retrieved so its guid could passed for a permissions check. Such fetchers now no longer return orgs.

Links to any other associated PRs:

n/a

• I have reviewed the contributing guide

• I have viewed, signed, and submitted the Contributor License Agreement

• I have made this pull request to the main branch

• I have run all the unit tests using bundle exec rake

• I have run CF Acceptance Tests

[will-gant]

Cool, just ran this successfully through the cf-acceptance-tests (a partial run), swapping this PR in for src/cloud_controller_ng in CAPI 1.140.0. Ran the following from CATs:

apps
container_networking
detect
docker
internet_dependent
routing
service_instance_sharing
services
ssh
sso
tasks
v3