Initial implementation

Move auth logic out of Card API to a shared library, this is largely a lift-and-shift with some documentation and additional tests, with the code being moved out of: https://gitlab.developers.cam.ac.uk/uis/devops/iam/card-database/card-api/-/merge_requests/90.

Part of https://gitlab.developers.cam.ac.uk/uis/devops/iam/identity-photos-service/photo-api/-/issues/16.

apigatewayauth/permissions.py

@@ -115,7 +115,7 @@ def SpecifiedPermission(permission: str):
 
             if request.auth.principal_identifier.scheme != IdentifierSchemes.CRSID:
                 LOG.warn('Can only determine group membership for principals identified by CRSID')
-                return
+                return False
 
             # special case for people identified by crsid - check whether they are in a
             # lookup group within our list of identities for permission
@@ -135,7 +135,7 @@ def SpecifiedPermission(permission: str):
         def has_object_permission(self, request, view, obj):
             return self.has_permission(request, view)
 
-        def is_in_any_lookup_group(self, crsid: str, group_ids: Set[str]):
+        def is_in_any_lookup_group(self, crsid: str, group_ids: Set[str]) -> bool:
             """
             Determine whether a person identified by a crsid is a member of any of the lookup
             groups provided. Caches the result for 5 minutes to speed up subsequent responses.
@@ -156,6 +156,7 @@ def SpecifiedPermission(permission: str):
                 )
             except IbisException as err:
                 LOG.warn(f'Failed to get Lookup groups for {crsid} due to {err}')
+                return False
 
             cache.set(cache_key, is_in_group, timeout=600)
             return is_in_group