Initial implementation

Move auth logic out of Card API to a shared library, this is largely a lift-and-shift with some documentation and additional tests, with the code being moved out of: https://gitlab.developers.cam.ac.uk/uis/devops/iam/card-database/card-api/-/merge_requests/90.

Part of https://gitlab.developers.cam.ac.uk/uis/devops/iam/identity-photos-service/photo-api/-/issues/16.

apigatewayauth/tests/test_permissions.py

@@ -125,6 +125,40 @@ class PermissionsTestCase(TestCase):
             )
         )
 
+    def test_get_queryset_for_principal_returns_no_objects_if_no_request_auth(self):
+        permission = IsResourceOwningPrincipal()
+
+        request = APIRequestFactory().get('/')
+
+        # `has_permission` should return false as we have no auth details on the request
+        self.assertFalse(permission.has_permission(request, self.view))
+
+        # Set should_limit_to_resource_owning_principal manually, which allows us to hit the
+        # condition of having no principal whilst trying to get the queryset for a principal.
+        # This should never really happen, but we handle the condition in the permission class
+        # so it's worth a test.
+        setattr(request, 'should_limit_to_resource_owning_principal', True)
+
+        # If we get the queryset for the principal we should get objects.none() as we do not have
+        # a principal.
+        self.assertQuerysetEqual(
+            IsResourceOwningPrincipal.get_queryset_for_principal(request, TestModel),
+            TestModel.objects.none()
+        )
+
+    def test_get_queryset_for_principal_throws_on_an_unknown_model(self):
+        permission = IsResourceOwningPrincipal()
+
+        request = self.request_with_auth(self.client_auth_details)
+        self.assertTrue(permission.has_permission(request, self.view))
+
+        # using get_queryset_for_principal without a model defining get_queryset_for_principal
+        # should cause a value error with a desciption message
+        with self.assertRaisesRegex(
+            ValueError, '{} does not implement get_queryset_for_principal'
+        ):
+            IsResourceOwningPrincipal.get_queryset_for_principal(request, {})
+
     def test_has_any_scope(self):
         permission = HasAnyScope('a', 'b.readonly')()
 
@@ -172,6 +206,11 @@ class PermissionsTestCase(TestCase):
         self.assertFalse(
             permission.has_permission(self.request_with_auth(self.client_auth_details), self.view)
         )
+        self.assertFalse(
+            permission.has_object_permission(
+                self.request_with_auth(self.client_auth_details), self.view, {}
+            )
+        )
         get_identities_mock.assert_called_with('READ_BOOKS')
 
     @patch('apigatewayauth.permissions.get_principals_with_permission')
@@ -185,6 +224,11 @@ class PermissionsTestCase(TestCase):
         self.assertTrue(
             permission.has_permission(self.request_with_auth(self.client_auth_details), self.view)
         )
+        self.assertTrue(
+            permission.has_object_permission(
+                self.request_with_auth(self.client_auth_details), self.view, {}
+            )
+        )
         get_identities_mock.assert_called_with('READ_BOOKS')
 
     @patch('apigatewayauth.permissions.get_principals_with_permission')
@@ -213,6 +257,9 @@ class PermissionsTestCase(TestCase):
         self.assertFalse(
             permission.has_permission(self.request_with_auth(auth_details), self.view)
         )
+        self.assertFalse(
+            permission.has_object_permission(self.request_with_auth(auth_details), self.view, {})
+        )
         get_identities_mock.assert_called_with('READ_MAGAZINES')
 
         # should not have queried for groups as our principal does not have a crsid identifier