Django 3.0 breaks iar-backend, fix the version to <3.0

Closes #96

See merge request uis/devops/iar/backend!88

Replace authentication with Google OAuth2 and remove cruft

Closes #91 and #88

See merge request uis/devops/iar/backend!87

We no-longer use hydra or lookupproxy so we can remove them from the
docker-compose configuration along with the related support files.

We had a number of customisations to the DRF YASG shipped swagger which
we no-longer need as the later versions of Swagger UI shipped with DRF
cover our needs adequately.

The entire sphinx documentation was hilariously out of date with respect
to our current practices. Rather than hacking it, remove it with an eye
to replacing it with a better README and markdown formatted
documentation.

By including django social auth we no-longer need the use the legacy
ucamwebauth protocol.

Add the ability to authenticate to the application via Google OAuth2
(aka GSuite@Cambridge) by making use of the Django social auth library.
We enable the option to associate users by email address since we have a
large number of existing users in the application and an earlier
migration has ensured they should have the correct email address
associated with the account.

In order to allow use of Google OAuth2 tokens with the API, we implement
an "exchange" endpoint which can convert an access token from one of the
Django social auth backends into an API token which can be passed to the
API in the Authorization header. This is based on a pattern from the
Django social auth docs [1].

The Swagger UI is updated to pre-populate the Google client id and
correct scopes so that the token exchange can be performed in the
Swagger UI.

[1] https://python-social-auth.readthedocs.io/en/latest/use_cases.html#signup-by-oauth-access-token

Instead of using OAuth2 to authenticate the API, use DRF's token-based
authentication. This removes one place where we rely on hydra's Oauth2
implementation.

The other place is the use of lookupproxy. Remove the dependence on
lookupproxy and replace it with the use of the djang-ucamlookup
wrappers in assets.lookup.

This rendered a large number of formerly required settings useless so
remove them.

Update the tests to make use of token authentication instead of faking
OAuth authentication and to mock the lookup wrapper functions.

The filter defined for assets duplicated the "name" arguments. Modern
versions of django-filters infer this from the name of the field in
the class so the 2name" argument is unnecessary.

The stats endpoint does not require authentication but this is not
reflected in the generated Swagger. Annotate it appropriately.

We will be removing lookupproxy so we want to make use of the Lookup
client functionality provided by django-ucamlookup. This package assumes
that usernames are crsids which is not the case in this application.
Indeed it will continue not to be the case since we'll be moving to
Django social auth which does not guarantee any particular form for the
username.

Instead, use the email address as the primary key for user identity. We
can write a migration to migrate the existing "crisd+{crsid}" named
users to have the right email address and Django social auth *will* set
the email address properly for GSuite@Cambridge users.

Users with email addresses of the form {crsid}@cam.ac.uk can have
information returned from Lookup by parsing out the crsid. Add some
utility functions which do so.

We add a secrets.env template to the configuration so that a lookup
group's credentials may be used ot use the lookup API from outside the
CUDN.

We are going to move to a world where email address is the primary key
for a user. To this end, make sure that the existing "crsid+{crsid}"
users have their emails set correctly.

Django social auth will happily associate the Google sign in with these
users if the email addresses match and we enable it in the social
pipeline.

The existing README linked to out-of-date test and code coverage and
documentation which was no-longer being built.

Remove most of the README and replace its contents. Note that this
README is "forward-looking". It describes functionality which is added
in later commits but it didn't seem worth writing a README for old-world
and then immediately re-writing it.

Re-work asset stats endpoint

Rather than having the stats endpoint split each count out separately by
institution, gather them together as proposed in #84. Take the
opportunity to make the serializer a little more sophisticated so that
the asset count model is re-used between the "all" field and the
"by_institution" field.

Closes #84.

As noted in #85, the stats endpoint was incorrectly counting deleted
assets. Update the view to ignore deleted assets.

Closes #85.

Make the stats test a little more orthogonal by directly creating the
Asset models rather than bouncing through the API.

create a new stats endpoint

It reports:

Total number of assets
Total number of assets completed
Total number of assets with personal data
Assets per department (total, completed, with personal data)

moved oauth related utilities to django-oauthcommon

According to the Django docs, accessing the body of a POST in middleware
is verboten. Doing so is leading to
django.http.request.RawPostDataException exceptions in production so
remove it.

[1] https://docs.djangoproject.com/en/dev/topics/http/middleware/#process-view

minor bugfixes

add middleware to log HTTP 400 errors

To aid in debugging, it is useful to log to the console the requests
which cause HTTP 400 responses to be returned and the response body
itself.

Add a simple middleware which intercepts HTTP errors and logs the
required information.

explicitly set postgres image versions to match GCloud version

enable silk profiler

lookup.get_person_for_user: return cached result earlier