Enable authentication with suomi.fi credentials

[attemoi]

Description

Implement admin authentication via external E-kirjasto authentication application.

This implementation assumes that:

• The users & roles are managed externally, not with circulation.
• The system will have only one library, so the external users will be mapped as site-wide admins. See table below.

Role mapping

Circulation admin role	E-kirjasto role	Description (fi)	Description (en)
unauthorized	sysadmin	-	Internal technical role for auth E-kirjasto auth system management only
system-admin	orgadmin	E-kirjaston pääkäyttäjä	E-library main admin
manager-all	admin	Paikalliskirjaston pääkäyttäjä	Local library admin user
unauthorized	registrant	Paikalliskirjaston työntekijä / rekisteröijä	Local librarian user / registering agent
librarian-all	librarian	Paikalliskirjaston työntekijä / työryhmä	Local librarian user / work group
unauthorized	customer	Kirjaston asiakas	Patron

Restrictions for externally authenticated users

The following extra authorization rules are put in place for E-kirjasto (i.e. externally authenticated) users.

• It is not possible to create / update / delete E-kirjasto users via admin UI (or API).
• E-kirjasto users are omitted from the /admin/individual_admins response. Thus, under the admin UI “System Configuration” panel, E-kirjasto users are not listed.
• E-kirjasto users are not authorized to see or edit password authenticated users.
• E-kirjasto users cannot add or change their password
• Only E-kirjasto main admin role is authorized to edit or delete libraries.

Other implementation details:

The E-kirjasto user ID is used to populate the email field for admin data model. This ID will also be shown in the admin UI in place of the e-mail. We have the user's given_name and family_name on the backend so with some extra implementation would be possible to show that in the UI instead of the ID.

The original email+password based login is still available. Also, the initial admin UI "setting up" mode is still there for creating an initial system-admin user without relying on E-kirjasto API.

New environment value ADMIN_EKIRJASTO_AUTHENTICATION_URL added for configuring the admin authentication URL.

In the test environment, a state parameter can be used to test different types of admin users. The available values are:

• :T0000: Failure
• :T0001: Success, Turku 853, Unverified, customer
• :T0002: Success, Turku 853, Verified, customer
• :T0003: Success, Helsinki 091, Verified, customer
• :T0004: Success, Empty municipality, Verified, customer
• :T0005: Success, Helsinki 091, Verified, customer, born 2010
• :T0006: Success, Helsinki 091, Verified, registrant
• :T0007: Success, Helsinki 091, Verified, admin
• :T0008: Success, Helsinki 091, Verified, orgadmin
• :T0009: Success, Turku 853, Verified, sysadmin
• :T0010: Success, Turku 853, Verified, librarian

This state can be passed to circulation admin sign in page with a query param. For example, use http://localhost:6500/admin/sign_in?state=:T0008 to log in as a system admin.

Motivation and Context

https://jira.lingsoft.fi/browse/SIMPLYE-216 - Enable the authentication of librarians to the administration console with their suomi.fi credentials

Checklist

• I have updated the documentation accordingly.
• All new and existing tests passed.

[sylvain-degeilh-lingsoft]

4 roles / levels have been defined:

1. E-kirjaston pääkäyttäjä - E-library main admin
2. Paikalliskirjaston pääkäyttäjä - Local library admin user
3. Paikalliskirjaston työntekijä/rekisteröijä - Local librarian user / registering agent
4. Paikalliskirjaston työntekijä/työryhmä - Local librarian user / work group

Role 1 will access to the whole site (collection management, global statistics and system administration)
Role 2 will access the local statistics and local customized lane management
Role 3 does not have access
Role 4 will access the local customized lane management

The local customized lane management does not exist yet.

[sylvain-degeilh-lingsoft]

The role 3 (3. Paikalliskirjaston työntekijä/rekisteröijä - Local librarian user / registering agent) should be replaced with the role 4 (4. Paikalliskirjaston työntekijä/työryhmä - Local librarian user / work group).
Role 2 and role 4 won't have access to the system administration menu.
Role 4 won't have access to statistics.

[sylvain-degeilh-lingsoft]

The local library manager can access the collection menu (aka left menu) with localized statistics and localized custom lanes.

[attemoi]

As for Role 2 (aka manager-all, aka admin), users with this role can currently edit the library settings. So based on your comment we should add some logic to disallow that for the circulation manager-all role?

edit: based on discussion offline I will look into whether it makes more sense to add new roles or use extra rules for existing roles.

edit: The extra authorization rules are now in place. Decided to keep using the existing roles instead of creating new ones for E-kirjasto.

[sylvain-degeilh-lingsoft]

The registrant or registering agent does not have access to the UI. The role should be replaced by the equivalent to "Paikalliskirjaston työntekijä/työryhmä - Local librarian user / work group". It would have access to the left menu as well without the localized statistics, and with localized custom lanes (when available).

[attemoi]

If I'm understanding this correctly, we might be missing a role for the work group on the E-kirjasto side? See the updated table in the pull request description.

[attemoi]

Access for registrant now removed.

[sylvain-degeilh-lingsoft]

Yes, exactly, a role is missing for the work group.

[attemoi]

New librarian role now included

[attemoi]

Also realized that we probably don't want to show password authenticated users to externally authenticated users.

[attemoi]

As for Role 2 (aka manager-all, aka admin), users with this role can currently edit the library settings. So based on your comment we should add some logic to disallow that for the circulation manager-all role?

edit: based on discussion offline I will look into whether it makes more sense to add new roles or use extra rules for existing roles.

edit: The extra authorization rules are now in place. Decided to keep using the existing roles instead of creating new ones for E-kirjasto.