Inventory authentication extension

[jbrown-xentity]

User Story

As an inventory developer, I want a well defined authentication extension so that authentication is well documented, can be changed, and the logic is isolated for inventory.

Acceptance Criteria

• GIVEN inventory web is running
  and the ckanext-inventory_auth extension is enabled
  WHEN an anonymous user requests any page other than a resource
  THEN the user is redirected to the login page (or equivalent)

Background

From research on inventory anonymous user seeing dataset pages in inventory-2.8

Security Considerations (required)

[Any security concerns that might be implicated in the change. "None" is OK, just be explicit here!]
Should contain tests to verify that pages and API is inaccessible

Sketch

We will want to create and store this extension in the inventory-app.
Utilize the CKAN documentation and previous extension work.
The original implementation of this is here, but behavior was inconsistent and some metadata was discoverable that was not intended. Use this as a starting point, but may need to implement access limitations for all CKAN actions except for resource viewing/download access.

[chris-macdermaid]

Ran into this open CKAN issue:
Chained auth functions lose anonymous access
ckan/ckan#5751

We can create a auth chain in the new extension for logged in users, but because of the open issue this won't work to allow anonymous users to see resources. There is an active open PR to fix this.

[pjsharpe07]

Remaining steps for this ticket:

• Rename current extension to be datagov_inventory or something similar
• Confirm all changes in ckan's default auth behavior is what we want and make any remaining changes/edits
• Create a custom error template for 403 error codes
• Create unit tests for this extension's iauth functionality
• Edit the dcat-usmetadata extension to add a disclaimer about how adding a dataset will make it public Moved to not take this step as we're asking data editor's to contact us first before adding a dataset
• Edit inventory's production.ini authorization section. Copy this over to development's .ini file as well
• Will probably need to create new ansible variable to pre-pend the auth extension only on inventory-next
• Confirm that using a local path in the requirements-freeze file will work when deployed with ansible

[pjsharpe07]

We should be wary about the functionality of auth defaulting to an ip address if no user is found. We haven't seen this in local testing yet (default is an empty string). Leaving this here as an artifact.

[pjsharpe07]

Google Sheet for current state of site access for anonymous vs logged in user

[mogul]

@chris-macdermaid and @jbrown-xentity will be pairing through a review to get this one wrapped up.