fix: user addition to groups and enforces idempotency

This MR fixes an issue with user addition

1. Previously during user addition, the userEmail was explicitly removed first and then re-added. This operation can be performed any number of times using a JWT issued for any authorized entity other the userEmail. However when the same userEmail is added the second time using a JWT authorized for the userEmail, the user addition logic removes the user first. Since this removal, the JWT with azp set to userEmail loses complete access to the subproject/dataset.

2. There is a need to maintain idempotency for the user entitlements to fix 1). This MR catches 409 conflicts and if the expectedRole for the input userEmail does not match the existing entitlements role then an error is thrown. If the roles match no error is returned. This ensures the useremail can be added any number of times if the entitlements role and the user input role matches.

3. If an error is returned with 409 Conflicts, then the end-user will need to first delete the user completely and re-add.

4. Refactors the code for improving readability