front: enable authorization

[kmer2016]

closes #8049

Warning

There is currently an authorization bug between the core service and the Editoast service that prevents retrieving the infraId. This issue is being worked on and will be fixed soon. Because of this, the ManageTrainSchedule and STDCM views may have refresh problems.

New Functionalities:

• Allows specific parts of the interface to be accessible based on the user's role and the required role for access.
  • When the user is Railway Undertaking , they are redirected directly to the STDCM page.
  • When the user is Operational Studies, they are taken to the homepage, with the STDCM application grayed out.
  • When the user is a Superuser, they have full access to everything.
  • If the user has no role, they will have no access to any part of the app from the homepage.
  • If a user tries to access an application directly via URL without the proper role, they are redirected to a 403 page. For instance, if an Operational Studies user tries to access anything other than STDCM, or if a user with no role tries to access any page, they will be blocked.
  • The button to access the STDCM debug mode is now restricted to users with the Superuser role.
  • The creation of a project, study, or scenario is limited to users with the OpsWrite role. (Both OpsWrite and OpsRead can open the Ops application. OpsWrite can create, OpsRead can list the project/studies/scenarios)

Technical Updates:

• User roles are now fetched and stored in the Redux store.
• Added the REQUIRED_USER_ROLES_FOR object, which describes the required roles for accessing various views, features and those associated with different user profiles.
• Improved the RoleBasedComponent wrapper by adding the disabledIfUnauthorized property, which grays out the wrapped component instead of hiding it when the user lacks proper authorization.
• use the same componenet to handle project,study and scenario creation.

How to Test:

1. Enable Authorization on Editoast:
   Add the environment variable EDITOAST_DISABLE_AUTHORIZATION: "false" to the docker-compose.yml file, just below OSRD_MQ_URL.

or if you run editoast individually
EDITOAST_DISABLE_AUTHORIZATION=false cargo run runserver

2. Rebuild the Editoast Docker Image:
   Rebuild the Editoast Docker image and restart it.

3. Apply the SQL Scripts:
   Depending on the user profile and the feature access you want to test, apply the following SQL scripts:

Starting editoast with EDITOAST_DISABLE_AUTHORIZATION=false, you should have a subject 1 created in authn_subject table

Railway Undertaking profil

   DELETE FROM authz_role WHERE subject = 1;
   INSERT INTO authz_role (id, subject, role) VALUES 
   (1, 1, 'Stdcm'),
   (2, 1, 'RollingStockCollectionRead'),
   (3, 1, 'WorkScheduleRead'),
   (4, 1, 'InfraRead'),
   (5, 1, 'DocumentRead'),
   (6, 1, 'MapRead'),
   (7, 1, 'TimetableRead');

Operational Studies profil

DELETE FROM authz_role WHERE subject = 1;
INSERT INTO authz_role (id, subject, role) VALUES 
(1, 1, 'OpsRead'),
(2, 1, 'OpsWrite'),
(3, 1, 'InfraRead'),
(4, 1, 'InfraWrite'),
(5, 1, 'RollingStockCollectionRead'),
(6, 1, 'RollingStockCollectionWrite'),
(7, 1, 'WorkScheduleRead'),
(8, 1, 'TimetableRead'),
(9, 1, 'TimetableWrite'),
(10, 1, 'DocumentRead'),
(11, 1, 'DocumentWrite'),
(12, 1, 'MapRead');

Superuser

DELETE FROM authz_role WHERE subject = 1;
INSERT INTO authz_role (id, subject, role) VALUES 
(1, 1, 'Superuser');

No Authorization to create projet/study/scenario

DELETE FROM authz_role WHERE subject = 1;
INSERT INTO authz_role (id, subject, role) VALUES 
(1, 1, 'OpsRead'),
(3, 1, 'InfraRead'),
(5, 1, 'RollingStockCollectionRead'),
(6, 1, 'RollingStockCollectionWrite'),
(7, 1, 'WorkScheduleRead'),
(8, 1, 'TimetableRead'),
(9, 1, 'TimetableWrite'),
(10, 1, 'DocumentRead'),
(11, 1, 'DocumentWrite'),
(12, 1, 'MapRead');

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 2.01005% with 195 lines in your changes missing coverage. Please review.

Project coverage is 39.71%. Comparing base (f7f1991) to head (18cfb7c).
Report is 5 commits behind head on dev.

Files with missing lines	Patch %	Lines
.../src/common/authorization/roleBaseAccessControl.ts	0.00%	38 Missing ⚠️
...tions/operationalStudies/components/AddNewCard.tsx	0.00%	29 Missing and 1 partial ⚠️
front/src/main/home.tsx	0.00%	21 Missing ⚠️
.../common/authorization/hooks/useAllowedUserRoles.ts	0.00%	17 Missing and 1 partial ⚠️
front/src/reducers/user/userSelectors.ts	0.00%	16 Missing and 1 partial ⚠️
front/src/utils/hooks/OsrdAuth.ts	0.00%	13 Missing ⚠️
.../src/applications/stdcm/components/StdcmHeader.tsx	0.00%	11 Missing ⚠️
...ommon/authorization/components/InitialRedirect.tsx	0.00%	8 Missing and 1 partial ⚠️
front/src/applications/operationalStudies/Home.tsx	0.00%	8 Missing ⚠️
.../applications/operationalStudies/views/Project.tsx	0.00%	8 Missing ⚠️
... and 4 more

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@             Coverage Diff              @@
##                dev    #9237      +/-   ##
============================================
- Coverage     39.77%   39.71%   -0.07%     
  Complexity     2270     2270              
============================================
  Files          1302     1302              
  Lines         99565    99671     +106     
  Branches       3282     3283       +1     
============================================
- Hits          39599    39581      -18     
- Misses        58034    58157     +123     
- Partials       1932     1933       +1     

Flag	Coverage Δ
core	75.06% <ø> (ø)
editoast	73.50% <ø> (-0.08%)	⬇️
front	10.18% <2.01%> (-0.02%)	⬇️
gateway	2.19% <ø> (ø)
osrdyne	3.28% <ø> (ø)
railjson_generator	87.49% <ø> (ø)
tests	86.71% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[RomainValls]

Tested every SQL scripts for the permissions, it all seems correct.

[leovalais]

There is currently an authorization bug between the core service and the Editoast service that prevents retrieving the infraId. This issue is being worked on and will be fixed soon. Because of this, the ManageTrainSchedule and STDCM views may have refresh problems.

Was fixed in #9278, thanks for reporting it :)

[emersion]

Thanks a bunch!

[flomonster]

Approve editoast part