Add role management endpoints

[leovalais]

Tip

Review each commit individually.

Refs #8743

This PR lacks the following elements:

• Unit tests
  • Authorizer logic
  • PgAuthDriver
  • Endpoints
• Documentation

However I suggest we merge it like this if its content is good enough to allow @kmer2016 to work on the frontend part as soon as possible. Consequently, to also sum up the comments of this PR, we'll need to:

1. create a CLI command to grant builtin roles to a subject: RBAC: CLI interface #8744
2. remove application roles which are more than superfluous until we have a proper admin panel: Add role management endpoints #8984 (comment)
3. work on tests and documentation
4. improve DbConnection API: Add role management endpoints #8984 (comment)

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 49.09091% with 140 lines in your changes missing coverage. Please review.

Project coverage is 37.14%. Comparing base (795c30a) to head (ce257e6).
Report is 26 commits behind head on dev.

Files with missing lines	Patch %	Lines
editoast/src/views/authz.rs	32.08%	91 Missing ⚠️
editoast/editoast_authz/src/authorizer.rs	0.00%	26 Missing ⚠️
front/src/common/api/generatedEditoastApi.ts	91.01%	8 Missing ⚠️
editoast/editoast_authz/src/roles.rs	0.00%	7 Missing ⚠️
editoast/src/models/auth.rs	50.00%	7 Missing ⚠️
editoast/src/views/mod.rs	50.00%	1 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@             Coverage Diff              @@
##                dev    #8984      +/-   ##
============================================
+ Coverage     37.11%   37.14%   +0.03%     
  Complexity     2241     2241              
============================================
  Files          1262     1263       +1     
  Lines        115834   116059     +225     
  Branches       3277     3277              
============================================
+ Hits          42991    43110     +119     
- Misses        70889    70995     +106     
  Partials       1954     1954              

Flag	Coverage Δ
core	74.79% <ø> (ø)
editoast	72.16% <29.03%> (-0.22%)	⬇️
front	15.29% <91.01%> (+0.10%)	⬆️
gateway	2.22% <ø> (ø)
osrdyne	2.57% <ø> (ø)
railjson_generator	87.49% <ø> (ø)
tests	86.46% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[woshilapin]

I hope the entire PR will be squashed because

#[cfg(test)]
mod test_app;

is removed in e08d2f4 and only comes back 3 commits later in 6c32f1a. Similar inconsistencies happen when utoipa annotations are added/modified but openapi.yaml is updated in a subsequent commit.

[flomonster]

Great PR.

I think it's going to be a pain not to have a “role config” in this repository but in the deployment repository. It's great that it can be overridden, but knowing that you're likely to want to update it regularly (until the whole thing has stabilized and settled down), it's error prone.

[leovalais]

I hope the entire PR will be squashed

It will. I just split it to help with the review. I may keep a few commits (especially for the stdcm env part), but I'll split it right this time 😁

I think it's going to be a pain not to have a “role config” in this repository but in the deployment repository. It's great that it can be overridden, but knowing that you're likely to want to update it regularly (until the whole thing has stabilized and settled down), it's error prone.

Agreed. I am becoming increasingly convinced that we don't need application roles after all. (Or at least until we have a proper administration panel.) Maybe it wouldn't be so bad to remove them since we are the ones who will grant roles anyway.

[flomonster]

Agreed. I am becoming increasingly convinced that we don't need application roles after all. (Or at least until we have a proper administration panel.) Maybe it wouldn't be so bad to remove them since we are the ones who will grant roles anyway.

Another argument is that with the current implementation, changing the scope of an application role won't change user roles. (Except if we do a proper migration). It reduces the usefulness of this object in my opinion.

[flomonster]

Tested and not working. No user is created when using the application.

[flomonster]

LGTM (tested).
Before using it in prod we need:

• Add tests
• Remove application role
• Add CLI

[SharglutDev]

Lgtm (not tested)