Implement AUTH for the management API - Master Story

[TessFerrandez]

Description

As an Azure TRE administrator
I want to make sure that access is appropriately restricted to the management API
So that we don't have data leakage or unwanted templates/workspaces created

Acceptance critiera

• Authentication/authorization is implemented with oauth2 and in such a way that AAD is replaceable (by writing a new auth component) to other auth providers in the future
• Auth is done in this iteration with AAD - and through AAD Apps that have assigned users/roles
• API access is restricted per the table below
• Auth model is documented

Endpoint	Access	Comment
GET /workspaces	Researcher/owner - assigned to the workspace - only the workspaces you belong to are returned.	TRE Admin can see all
GET /workspaces/{workspace_id}	Researcher/owner - assigned to the workspace	TRE Admin can see all
POST /workspaces	TRE Admin	To create a workspace - the admin has to manually create an AAD app and provide it when creating the workspace
GET /workspacesTemplates	TRE Admin
GET /worskpacesTemplates/{name}	TRE Admin
POST /workspacesTemplates	TRE Admin

Tasks - and sub stories

• [M] Register API with Azure AD to enable auth #95
• [M] Manual app registration for new workspace #211
• [M] Update POST /workspace to accept an auth_config #306
• [M] [Task] Implement auth token validation for API #310
• [M] Implement AUTH component for AAD #307
• [M] Retrieve 'my' workspaces #208
• [S] Enforce auth on /workspaces/{workspace_id} endpoint #221
• [M] Enforce auth on POST /workspaces API endpoint #96
• [S] [Task] Enforce AUTH for GET /workspaceTemplates #311
• [S] [Task] Enforce AUTH for GET /workspaceTemplates/{template_name} #313
• [S] [Task] Enforce AUTH for POST /workspaceTemplates #312
• [S] Document auth model #236
• [S] [Task] Configure swagger UI to use OpenID #314
• [Task] Create non-privileged tests to test routes don't allow lower priviledge  #340