editoast: harmonize builtin roles serializations

leovalais · leovalais · commit 62c281402e63 · 2024-10-02T15:19:55.000+02:00
Signed-off-by: Leo Valais &lt;leo.valais97@gmail.com&gt;
diff --git a/editoast/editoast_authz/src/builtin_role.rs b/editoast/editoast_authz/src/builtin_role.rs
@@ -1,70 +1,49 @@
+use serde::Deserialize;
 use serde::Serialize;
 use strum::AsRefStr;
-use strum::Display;
 use strum::EnumString;
 use utoipa::ToSchema;
 
 use crate::roles::BuiltinRoleSet;
 
 #[derive(
-    Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, EnumString, AsRefStr, Display, ToSchema,
+    Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize, EnumString, AsRefStr, ToSchema,
 )]
-#[strum(serialize_all = "snake_case")]
 pub enum BuiltinRole {
     /// A user with this role short-circuits all role and permission checks
     ///
     /// Alternatively, especially for development, the `EDITOAST_SUPERUSER` environment variable can be set
     /// when no user identity header is present. (This is the case when editoast is queried directly and
     /// not through the gateway.)
-    #[strum(serialize = "superuser")]
     Superuser,
 
-    #[strum(serialize = "operational_studies:write")]
     OpsWrite,
-    #[strum(serialize = "operational_studies:read")]
     OpsRead,
 
-    #[strum(serialize = "infra:read")]
     InfraRead,
-    #[strum(serialize = "infra:write")]
     InfraWrite,
 
-    #[strum(serialize = "rolling_stock_collection:read")]
     RollingStockCollectionRead,
-    #[strum(serialize = "rolling_stock_collection:write")]
     RollingStockCollectionWrite,
 
-    #[strum(serialize = "work_schedule:write")]
     WorkScheduleWrite,
-    #[strum(serialize = "work_schedule:read")]
     WorkScheduleRead,
 
-    #[strum(serialize = "map:read")]
     MapRead,
 
-    #[strum(serialize = "stdcm")]
     Stdcm,
-    #[strum(serialize = "stdcm:admin")]
     StdcmAdmin,
 
-    #[strum(serialize = "timetable:read")]
     TimetableRead,
-    #[strum(serialize = "timetable:write")]
     TimetableWrite,
 
-    #[strum(serialize = "document:read")]
     DocumentRead,
-    #[strum(serialize = "document:write")]
     DocumentWrite,
 
-    #[strum(serialize = "subject:read")]
     SubjectRead,
-    #[strum(serialize = "subject:write")]
     SubjectWrite,
 
-    #[strum(serialize = "role:read")]
     RoleRead,
-    #[strum(serialize = "role:write")]
     RoleWrite,
 }
 
diff --git a/editoast/openapi.yaml b/editoast/openapi.yaml
@@ -75,7 +75,7 @@ paths:
                 roles:
                   type: array
                   items:
-                    type: string
+                    $ref: '#/components/schemas/BuiltinRole'
         required: true
       responses:
         '204':
@@ -102,7 +102,7 @@ paths:
                 roles:
                   type: array
                   items:
-                    type: string
+                    $ref: '#/components/schemas/BuiltinRole'
         required: true
       responses:
         '204':
@@ -4082,7 +4082,6 @@ components:
       - $ref: '#/components/schemas/EditoastInfraApiErrorNotFound'
       - $ref: '#/components/schemas/EditoastInfraCacheEditoastErrorObjectNotFound'
       - $ref: '#/components/schemas/EditoastInfraStateErrorFetchError'
-      - $ref: '#/components/schemas/EditoastInvalidRoleTagInvalid'
       - $ref: '#/components/schemas/EditoastLayersErrorLayerNotFound'
       - $ref: '#/components/schemas/EditoastLayersErrorViewNotFound'
       - $ref: '#/components/schemas/EditoastLinesErrorsLineNotFound'
@@ -4369,25 +4368,6 @@ components:
           type: string
           enum:
           - editoast:infra_state:FetchError
-    EditoastInvalidRoleTagInvalid:
-      type: object
-      required:
-      - type
-      - status
-      - message
-      properties:
-        context:
-          type: object
-        message:
-          type: string
-        status:
-          type: integer
-          enum:
-          - 400
-        type:
-          type: string
-          enum:
-          - editoast:authz:role:Invalid
     EditoastLayersErrorLayerNotFound:
       type: object
       required:
diff --git a/editoast/src/views/authz.rs b/editoast/src/views/authz.rs
@@ -1,5 +1,4 @@
 use std::collections::HashSet;
-use std::str::FromStr;
 
 use crate::error::Result;
 use crate::models::auth::{AuthDriverError, PgAuthDriver};
@@ -120,15 +119,7 @@ async fn list_user_roles(
 
 #[derive(serde::Deserialize, utoipa::ToSchema)]
 struct RoleListBody {
-    roles: Vec<String>,
-}
-
-#[derive(Debug, thiserror::Error, EditoastError)]
-#[editoast_error(base_id = "authz:role")]
-enum InvalidRoleTag {
-    #[error("Invalid role tag: {0}")]
-    #[editoast_error(status = 400)]
-    Invalid(String),
+    roles: Vec<BuiltinRole>,
 }
 
 #[utoipa::path(
@@ -155,15 +146,8 @@ async fn grant_roles(
 
     check_user_exists(user_id, &authorizer).await?;
 
-    let roles = roles
-        .iter()
-        .map(|role| {
-            BuiltinRole::from_str(role.as_str())
-                .map_err(|_| InvalidRoleTag::Invalid(role.to_owned()))
-        })
-        .collect::<Result<_, _>>()?;
     authorizer
-        .grant_roles(user_id, roles)
+        .grant_roles(user_id, HashSet::from_iter(roles))
         .await
         .map_err(AuthzError::from)?;
     Ok(axum::http::StatusCode::NO_CONTENT)
@@ -193,15 +177,8 @@ async fn strip_roles(
 
     check_user_exists(user_id, &authorizer).await?;
 
-    let roles = roles
-        .iter()
-        .map(|role| {
-            BuiltinRole::from_str(role.as_str())
-                .map_err(|_| InvalidRoleTag::Invalid(role.to_owned()))
-        })
-        .collect::<Result<_, _>>()?;
     authorizer
-        .strip_roles(user_id, roles)
+        .strip_roles(user_id, HashSet::from_iter(roles))
         .await
         .map_err(AuthzError::from)?;
     Ok(axum::http::StatusCode::NO_CONTENT)
diff --git a/front/public/locales/en/errors.json b/front/public/locales/en/errors.json
@@ -23,10 +23,7 @@
       "Driver": "Authentication/authorization internal error, try again or contact support",
       "NoSuchUser": "Unknown user",
       "Unauthenticated": "Unauthenticated user",
-      "Unauthorized": "Access denied",
-      "role": {
-        "Invalid": "Invalid role tag"
-      }
+      "Unauthorized": "Access denied"
     },
     "auto_fixes": {
       "ConflictingFixesOnSameObject": "Conflicting fixes for the same object on the same fix-iteration",
diff --git a/front/public/locales/fr/errors.json b/front/public/locales/fr/errors.json
@@ -23,10 +23,7 @@
       "Driver": "Erreur interne d'authentification ou d'autorisation, veuillez réessayer ou contacter le support",
       "NoSuchUser": "Utilisateur inconnu",
       "Unauthenticated": "Utilisateur non authentifié",
-      "Unauthorized": "Accès refusé",
-      "role": {
-        "Invalid": "Libellé de rôle inconnu"
-      }
+      "Unauthorized": "Accès refusé"
     },
     "auto_fixes": {
       "ConflictingFixesOnSameObject": "Correctifs conflictuels pour le même objet sur la même itération de correctif",
diff --git a/front/src/common/api/generatedEditoastApi.ts b/front/src/common/api/generatedEditoastApi.ts
@@ -889,15 +889,15 @@ export type PostAuthzRolesByUserIdApiArg = {
   /** A user ID (not to be mistaken for its identity, cf. editoast user model documentation) */
   userId: number;
   body: {
-    roles: string[];
+    roles: BuiltinRole[];
   };
 };
 export type DeleteAuthzRolesByUserIdApiResponse = unknown;
 export type DeleteAuthzRolesByUserIdApiArg = {
   /** A user ID (not to be mistaken for its identity, cf. editoast user model documentation) */
   userId: number;
   body: {
-    roles: string[];
+    roles: BuiltinRole[];
   };
 };
 export type PostDocumentsApiResponse =
