chore: Configure Renovate

See merge request !8

Fix trailing slash

See merge request !7

verify incoming id token for API backends

Closes #4

See merge request !6

Rename the variable to _DEFAULT_EXPECTED_AUTHORISED_PARTIES which better
reflects its actual meaning.

Rather than having Django settings be strings which are parsed, have
them be actual lists like they should be.

Change the enforcement setting's semantics. Now the incoming token is
*always* verified but only a warning is printed to the logs unless
API_GATEWAY_AUTH_ENFORCE_IF_TOKEN_VERIFICATION is True.

Pin the poetry and tox version numbers to a know good set. Ensure that
we're using the most recent CI pipeline templates. The most recent (as
of writing) version of tox conflicts with the most recent poetry.

add user when authenticating

Closes #2

See merge request !4

Add verification for the Authorization header for incoming requests. The
defaults are to verify that the request is appropriately authenticated
with a Google service account corresponding to the API Gateway.

Expected issuer, authorised parties, issuer certificate URLs, etc can be
customised via settings. This is unlikely to be used in production but
is useful when combined with the API Gateway emulator for local
development.

Verification can be disabled entirely by setting an appropriately
dire-named setting.

Tests have been updated to exercise verification assuming that the
Google verification library works as documented.

Closes #4

Move over to using poetry for packaging and pre-commit for code checking

Closes #3

See merge request !5

This commit changes no functionality but add pre-commit checks based on
our usual template and fixes up the code to match. Note that this found
a real bug in the type annotation for the override_permissions_spec
decorator.

Port packaging to poetry. This does not make any changes to the existing
test matrix or requirements.

When authenticating a principal add a synthetic "APIGatewayUser" object
as the request user. This object is not backed by a database object but
does have an id meaning that DRF templates used to render the API views
will correctly identify the authenticated user.

This unpacked somewhat because of a slight break with Django convention
exhibited by this app.

One needs to be _very_ careful with what is imported as a side-effect of
importing the top-level application module. That is because that module
is imported at application configure time as part of configuring the
application. It follows that applications in general are not yet
configured when the top-level application module is imported.

The top-level module here then directly imports some of the
implementation. So now our implementation must not rely on applications
having been configured at import time.

We got away with this due to the simplicity of the application but
attempting to derive from AnonymousUser triggered the problem: trying to
import anything from django.contrib.auth.models threw an exception about
applications not being configured.

The convention for DRF authentication classes is for them to sit in a
submodule named "authentication" within the top-level application. This
is for good reason; trying to have them in the top-level leads to this
sort of pain.

Unfortunately we have users in the wild using
"apigatewayauth.APIGatewayAuthentication" in their settings and so we
need to support that until users are fixed up to use
"apigatewayauth.authentication.APIGatewayAuthentication".

In the meantime, do some nasty hackery to support what was required by
the original issue.

Closes #2

Support later Django versions

Closes #1

See merge request !3

Update (or, more correctly, create) the changelog in the process.

We now have common Python project CI templates which, while continuing
to support PyPI publication, also allow for parallel matrix testing with
tox.

The GitLab CI configuration in this repo dates from a time before this
feature was in GitLab (as noted in the comments) and so had to work
around it by creating a lot of templated jobs.

Simplify the CI configuration by making use of the common template.

Downgrade required version of ucam-identitylib and be more permissive about required versions

See merge request !2

This is not ideal, but given that we only need the identifiers from identitylib
the downgrade in version and more permission version allows us to use this
library with libraries which are making use of different versions of identitylib
without needing to upgrade identitylib and refactor.

Initial implementation

See merge request !1