refactor: remove REST users/ACLs/quotas after Connect Query migration (UX-1199)

The frontend already calls dataplane.v1.UserService, ACLService, and
QuotaService directly via Connect Query. The REST handlers and their
backend-api.ts callers were dead code still being served but no longer
consumed. Remove them along with the now-orphaned ConsoleSvc methods.

Backend
- Delete handle_users.go (GET/POST/DELETE /api/users)
- Delete handle_quotas.go (GET /api/quotas)
- Drop handleCreateACL / handleDeleteACLs from handle_acls.go and the
  POST/DELETE /api/acls route registrations; keep GET /api/acls — still
  used by the frontend Zustand store for isAuthorizerEnabled detection
  (Phase 2 will remove the route once detection switches to RPC error
  codes; tracked under UX-1210)
- Drop CreateACL / DeleteACLs / DescribeQuotas from the Servicer
  interface and the corresponding methods/types from create_acl.go,
  delete_acls.go, describe_quotas.go (kept the *Kafka / *Client variants
  that the Connect handlers still call)

Frontend
- Strip refresh/createServiceAccount/deleteServiceAccount, refreshQuotas,
  createACL/deleteACLs from backend-api.ts and the matching response
  types from rest-interfaces.ts
- Drop legacy ACL conversion helpers from react-query/api/acl.tsx
- Fix useCreateACLMutation invalidating listACLs with cardinality
  'infinite' while the actual query uses useQuery (finite) — the
  invalidation silently no-op'd, leaving a stale ACL list after every
  successful create
- Guard ACL create/update navigation on mutation success so the form
  stops navigating away on failed submits (regression surfaced by the
  new e2e suite — UX-1218)

Cross-repo: apps/redpanda-connect-api/tenant/api.go in cloudv2 has
already been migrated off these REST endpoints; tests/e2e-billing/...
is the only remaining REST caller (test-only, lower impact).

Author: c-julin

backend/pkg/api/handle_acls.go

@@ -10,7 +10,6 @@
 package api
 
 import (
-	"errors"
 	"fmt"
 	"net/http"
 
@@ -97,155 +96,3 @@ func (api *API) handleGetACLsOverview() http.HandlerFunc {
 		rest.SendResponse(w, r, api.Logger, http.StatusOK, res)
 	}
 }
-
-type deleteAclsRequest struct {
-	// The resource type.
-	ResourceType kmsg.ACLResourceType `schema:"resourceType"`
-
-	// The resource name, or null to match any resource name.
-	ResourceName *string `schema:"resourceName"`
-
-	// The resource pattern to match.
-	ResourcePatternType kmsg.ACLResourcePatternType `schema:"resourcePatternType"`
-
-	// The principal to match, or null to match any principal.
-	Principal *string `schema:"principal"`
-
-	// The host to match, or null to match any host.
-	Host *string `schema:"host"`
-
-	// The operation to match.
-	Operation kmsg.ACLOperation `schema:"operation"`
-
-	// The permission type to match.
-	PermissionType kmsg.ACLPermissionType `schema:"permissionType"`
-}
-
-// ToKafkaRequest returns a request struct that complies with the expected request object for the Kafka library
-func (g *deleteAclsRequest) ToKafkaRequest() kmsg.DeleteACLsRequestFilter {
-	reqFilter := kmsg.NewDeleteACLsRequestFilter()
-	reqFilter.PermissionType = g.PermissionType
-	reqFilter.Operation = g.Operation
-	reqFilter.Host = g.Host
-	reqFilter.Principal = g.Principal
-	reqFilter.ResourcePatternType = g.ResourcePatternType
-	reqFilter.ResourceName = g.ResourceName
-	reqFilter.ResourceType = g.ResourceType
-
-	return reqFilter
-}
-
-func (api *API) handleDeleteACLs() http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		// Parse request from body
-		var req deleteAclsRequest
-		restErr := rest.Decode(w, r, &req)
-		if restErr != nil {
-			rest.SendRESTError(w, r, api.Logger, restErr)
-			return
-		}
-
-		aclDeleteRes, restErr := api.ConsoleSvc.DeleteACLs(r.Context(), req.ToKafkaRequest())
-		if restErr != nil {
-			rest.SendRESTError(w, r, api.Logger, restErr)
-			return
-		}
-
-		rest.SendResponse(w, r, api.Logger, http.StatusOK, aclDeleteRes)
-	}
-}
-
-// CreateACLRequest defines the HTTP request payload for creating Kafka ACLs.
-type CreateACLRequest struct {
-	// ResourceType is the type of resource this acl entry will be on.
-	// It is invalid to use UNKNOWN or ANY.
-	ResourceType kmsg.ACLResourceType `schema:"resourceType"`
-
-	// ResourceName is the name of the resource this acl entry will be on.
-	// For CLUSTER, this must be "kafka-cluster".
-	ResourceName string `schema:"resourceName"`
-
-	// ResourcePatternType is the pattern type to use for the resource name.
-	// This cannot be UNKNOWN or MATCH (i.e. this must be LITERAL or PREFIXED).
-	// The default for pre-Kafka 2.0.0 is effectively LITERAL.
-	ResourcePatternType kmsg.ACLResourcePatternType `schema:"resourcePatternType"`
-
-	// Principal is the user to apply this acl for. With the Kafka simple
-	// authorizer, this must begin with "User:".
-	Principal string `schema:"principal"`
-
-	// Host is the host address to use for this acl. Each host to allow
-	// the principal access from must be specified as a new creation. KIP-252
-	// might solve this someday. The special wildcard host "*" allows all hosts.
-	Host string `schema:"host"`
-
-	// Operation is the operation this acl is for. This must not be UNKNOWN or
-	// ANY.
-	Operation kmsg.ACLOperation `schema:"operation"`
-
-	// PermissionType is the permission of this acl. This must be either ALLOW
-	// or DENY.
-	PermissionType kmsg.ACLPermissionType `schema:"permissionType"`
-}
-
-// OK validates the user input for the create acl request.
-func (c *CreateACLRequest) OK() error {
-	if c.ResourceType == kmsg.ACLResourceTypeAny {
-		return fmt.Errorf("acl resource type must not be any (1), but found: %q", c.ResourceType)
-	}
-
-	// Check Resource pattern type - must be LITERAL (3) or PREFIXED (4)
-	switch c.ResourcePatternType {
-	case kmsg.ACLResourcePatternTypeLiteral, kmsg.ACLResourcePatternTypePrefixed:
-	default:
-		return errors.New("resourcePatternType is invalid, must be either LITERAL (3) or PREFIXED (4)")
-	}
-
-	// Check Operation - must not be Any (1)
-	if c.Operation == kmsg.ACLOperationAny {
-		return errors.New("operation type any (1) is not allowed for creating a new ACL")
-	}
-
-	// Permission type must be either 'deny' (2) or 'any' (1)
-	switch c.PermissionType {
-	case kmsg.ACLPermissionTypeDeny, kmsg.ACLPermissionTypeAllow:
-	default:
-		return errors.New("given permission type is invalid, it must be either allow (3) or deny (2)")
-	}
-
-	return nil
-}
-
-// ToKafkaRequest returns a request struct that complies with the expected request object for the Kafka library
-func (c *CreateACLRequest) ToKafkaRequest() kmsg.CreateACLsRequestCreation {
-	reqFilter := kmsg.NewCreateACLsRequestCreation()
-	reqFilter.PermissionType = c.PermissionType
-	reqFilter.Operation = c.Operation
-	reqFilter.Host = c.Host
-	reqFilter.Principal = c.Principal
-	reqFilter.ResourcePatternType = c.ResourcePatternType
-	reqFilter.ResourceName = c.ResourceName
-	reqFilter.ResourceType = c.ResourceType
-
-	return reqFilter
-}
-
-func (api *API) handleCreateACL() http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		// Parse request from url parameters & validate it as part of Decode()
-		var req CreateACLRequest
-		restErr := rest.Decode(w, r, &req)
-		if restErr != nil {
-			rest.SendRESTError(w, r, api.Logger, restErr)
-			return
-		}
-
-		restErr = api.ConsoleSvc.CreateACL(r.Context(), req.ToKafkaRequest())
-		if restErr != nil {
-			rest.SendRESTError(w, r, api.Logger, restErr)
-			return
-		}
-
-		rest.SendResponse(w, r, api.Logger, http.StatusOK, nil)
-	}
-}