rbac: rework API for terraform, add blueprint support (#10698)

* rbac: rework API slightly to improve terraform compatibility

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* sigh https://www.django-rest-framework.org/api-guide/filtering/#filtering-and-object-lookups

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add permission support for users global permissions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add role support to blueprints

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix yaml tags

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add generated read-only role

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix web

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make permissions optional

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add object permission support to blueprints

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests kinda

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add more tests and fix bugs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

blueprints/default/rbac-role-read-only.yaml

@@ -0,0 +1,28 @@
+metadata:
+  name: Default - RBAC - Read-only
+version: 1
+entries:
+  - model: authentik_rbac.role
+    identifiers:
+      name: authentik Read-only
+    id: role
+    attrs:
+      permissions: !Enumerate [
+          !Context goauthentik.io/rbac/models,
+          SEQ,
+          !Format [
+              "%s.view_%s",
+              !Value 0,
+              !Index 0,
+          ],
+      ]
+  - model: authentik_core.group
+    identifiers:
+      name: authentik Read-only
+    attrs:
+      roles:
+        - !KeyOf role
+      is_superuser: false
+      attributes:
+        notes: |
+          An group with an auto-generated role that allows read-only permissions on all objects.