Tracking issue • Role-based authorization system

[leovalais]

Note

Design doc: https://osrd.fr/en/docs/reference/design-docs/auth/

Setup and logic system — covered in #7981

• Crate editoast_authz
• SQL setup
• New user registration using request headers
• Role config
• Internal API setup (Authorizer and friends)
• Role check
• Test over one endpoint
• Works with manual role edition (no endpoint, manual DB modifications)
• Logic tests on editoast_authz side using mocked DB interface
• DB interface tests
• Some documentation ofc

Planned work

• RBAC: implement role management endpoints #8743
• RBAC: CLI interface #8744
• RBAC: automatically ensure role-checking in unit tests #8746

Various improvements

• Make a middleware that checks the roles of each endpoints automatically (we could hook ourselves to the struct __path_fn generated for each endpoint to provide the required roles) ✋ Blocked by Tracking issue • Post-axum migration improvements #8178 (item routes!)
• Nice to have but useful: have all protected endpoints take a Connection extractor which gets a connection from the pool and starts a transaction. This way we ensure that nothing done before checking the roles/grants can't be undone. ✋ Blocked by Rework editoast's testing utils #6980
• editoast: make an authorizer request extractor #8276
• gateway, editoast: separate identity and username in injected headers #8277