gateway: add an authenticating reverse proxy

[anisometropie]

Before this change, we relied on an authenticating reverse proxy called gateway. It's been in use since the inception of the project, as part of a package of services we got from SNCF Réseau.

The front-end was responsible for authenticating with keycloak, and providing a Bearer token for the reverse proxy to check.

This change introduces an authenticating reverse proxy, which replaces the previous gateway.
The front-end now entirely delegates authentication to the backend.

On startup, gateway/auth/login is called, which either returns an username
if the client is authenticated, or a redirection URL if the user needs to log in.

There are three authentication backends supported by the new gateway:

• A default mock backend, which return all users to be authentificated with the same
  username
• An OpenID Connect backend, which is used to authenticate interactive users.
  The application does not support session refresh, and does not forward logout events to the
  identity provider.
• A static Bearer token backend, which is not meant to be used by interactive users

Fixes #1524
Fixes #2349
Fixes #5339

[codecov]

Codecov Report

Attention: 868 lines in your changes are missing coverage. Please review.

Comparison is base (cbc28f5) 19.58% compared to head (727b03f) 19.46%.
Report is 4 commits behind head on dev.

Files	Patch %	Lines
gateway/actix_auth/src/auth_context.rs	0.00%	141 Missing ⚠️
gateway/actix_proxy/src/lib.rs	0.00%	141 Missing ⚠️
gateway/actix_auth/src/providers/oidc.rs	0.00%	98 Missing ⚠️
gateway/src/config_parser.rs	0.00%	88 Missing ⚠️
gateway/actix_proxy/src/websocket.rs	0.00%	53 Missing ⚠️
gateway/src/main.rs	0.00%	42 Missing ⚠️
front/src/utils/hooks/OsrdAuth.ts	0.00%	35 Missing and 1 partial ⚠️
...teway/actix_auth/src/providers/provider_context.rs	0.00%	35 Missing ⚠️
gateway/actix_auth/src/service.rs	0.00%	33 Missing ⚠️
gateway/actix_auth/src/dyn_session_provider.rs	0.00%	31 Missing ⚠️
... and 26 more

Additional details and impacted files

@@             Coverage Diff              @@
##                dev    #4876      +/-   ##
============================================
- Coverage     19.58%   19.46%   -0.12%     
  Complexity     2326     2326              
============================================
  Files           886      907      +21     
  Lines        106098   106817     +719     
  Branches       2576     2579       +3     
============================================
+ Hits          20777    20796      +19     
- Misses        83812    84509     +697     
- Partials       1509     1512       +3     

Flag	Coverage Δ
editoast	68.15% <ø> (ø)
front	8.33% <56.10%> (+<0.01%)	⬆️
gateway	2.58% <2.58%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[flomonster]

Here is an intermediate review.

[bloussou]

Refresh is impossible in the front when you are not on the base url

[bloussou]

We should add a /health endpoint

[flomonster]

Very impressive PR. Thanks!
Note: Reviewed and tested with different config files on NixOS.

[clarani]

Reviewed all the code in /front, I still need to test but it will wait till Monday :) Left 2 small comments !

[alexandredamiron]

gateway timeout results in 500. 5s should ne be enough for multiple configurations

[clarani]

LGTM, tested in local (with docker and with the front+gateway+editoast in local) ✅

[Castavo]

I tested it while running all services locally, the proxy works fine !

When running with the mock auth provider, I can't logout from the front however, I get [2023-11-14T16:48:50Z WARN actix_proxy] proxy: error forwarding request: authentication required

[leovalais]

Tested on mac arm using Safari and Chrome, both locally and with docker.