Add an authentication pseudo-mechanism for requests within mutli-requ…

…ests

scimma_admin/hopskotch_auth/api_views.py

@@ -158,6 +158,14 @@ def __init__(self, mech, sid, s):
 
 class ScramAuthentication(BaseAuthentication):
     def authenticate(self, request):
+        # This is a bit tricky, as it doesn't directly have anything to do with SCRAM Auth:
+        # If the request wraps one which is already authenticated, we hoist out that authentication
+        # information and just return it immediately.
+        # This is used by the multi request mechanism to cascade authentication down to sub-requests
+        if hasattr(request._request,"user") and request._request.user.is_authenticated \
+              and hasattr(request._request,"auth"):
+            return (request._request.user, request._request.auth)
+
         auth_header = get_authorization_header(request)
         if not auth_header or len(auth_header)==0:
             return None
@@ -335,6 +343,14 @@ def header_transform(name):
                         continue
                     sr_headers = { header_transform(k):v for k,v in rdata["headers"].items()}
                     sub_request.META.update(sr_headers)
+                # Implement our own auth pseudo-mecahnism, allowing the sub-request to re-use the
+                # parent request's auth. Note that what we replicate is not the authentication data
+                # which was sent, but the end result of the authentication, so that authentication
+                # is not repeated.
+                if "HTTP_AUTHORIZATION" in sub_request.META \
+                      and sub_request.META["HTTP_AUTHORIZATION"] == "Inherit":
+                    sub_request.user = request.user
+                    sub_request.auth = request.auth
                 # overwrite headers which should not be inherited
                 sub_request.META["REQUEST_METHOD"] = rdata["method"]
                 sub_request.META["REQUEST_URI"] = rdata["path"]

scimma_admin/hopskotch_auth/static/hopskotch_auth/api/schema.yml

@@ -21,7 +21,11 @@ paths:
   /hopauth/api/v{version}/multi:
     post:
       operationId: multiRequest
-      description: 'Submit a request to perform a bundle of sub-requests. Each sub-request is processed independently, including its authentication. The request body is a mapping of user-chosen keys to sub-requests, and the response will be in the form of a mapping with the same keys, so that sub-responses can be matched to the sub-requests the client wanted to make. Each sub-request must include a method (HTTP verb) and path requested. Each may optionally include headers (useful for including authorization tokens), and a request body if applicable. Each sub-response will include a status and response body, and may also include response headers.'
+      description: "Submit a request to perform a bundle of sub-requests. Each sub-request is processed independently, including its authentication. The request body is a mapping of user-chosen keys to sub-requests, and the response will be in the form of a mapping with the same keys, so that sub-responses can be matched to the sub-requests the client wanted to make. Each sub-request must include a method (HTTP verb) and path requested. Each may optionally include headers (useful for including authorization tokens), and a request body if applicable. Each sub-response will include a status and response body, and may also include response headers. Authentication (and authorization)
+is generally checked separately for each sub-request independent of both other sub-requests and the
+original multi-request, so in most cases each sub-request should include its own `Authorization`
+header. Besides using the `Token` scheme, a speical 'pseudo-scheme', `Inherit`, is supported, which
+causes the sub-request to share the parent multi-request's authentication."
       parameters:
       - name: version
         in: path