editoast: add configurable authorization to TestAppBuilder

[hamz2a]

Update TestAppBuilder to support configurable authorization settings

• Modified TestAppBuilder to allow enabling/disabling authorization via the enable_authorization field.
• Added a test to verify that project creation fails with a FORBIDDEN status when authorization is enabled.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.46%. Comparing base (8ac5276) to head (8713f84).
Report is 67 commits behind head on dev.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@           Coverage Diff           @@
##              dev   #10197   +/-   ##
=======================================
  Coverage   81.46%   81.46%           
=======================================
  Files        1058     1058           
  Lines      104318   104320    +2     
  Branches      724      722    -2     
=======================================
+ Hits        84981    84985    +4     
+ Misses      19295    19294    -1     
+ Partials       42       41    -1     

Flag	Coverage Δ
editoast	73.68% <100.00%> (+0.05%)	⬆️
front	89.18% <ø> (-0.02%)	⬇️
gateway	2.18% <ø> (ø)
osrdyne	3.28% <ø> (ø)
railjson_generator	87.50% <ø> (ø)
tests	87.05% <ø> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[leovalais]

This PR revealed a bug. When no authentication header is sent to editoast, we respond with a 403 instead of a 401. Its fix belongs to another PR, but I don't believe we should be testing a faulty behavior. Here's my proposition:

1. Add a function TestApp::def_user(&self, UserInfo, impl IntoIterator<Item = BuiltinRole>) that persists a user configuration for a test.
2. Add a convenience function TestAppBuilder::user(self, UserInfo, impl IntoIterator<Item = BuiltinRole>)
3. Add a function like app.post("...").from_user(UserInfo { ... }).json(... to add the headers to the request.
4. Change the test behavior to "make a request with a real authenticated user which doesn't have the required role", where responding 403 is a valid response.

Wdyt?

[leovalais]

Thanks for the modifications! It looks much better, a few comments about API readability and convenience.

[leovalais]

LGTM, thanks!