Bump development tools: mypy, codespell, isort, ...

Move all tools configuration in pyproject.toml.

Remove no longer needed mypy overrides.

Latest python-keycloak release updated its typings that trigger
new mypy errors for swh-auth.

Previously when an OIDC user was logged in but the session expired,
an HTTP redirect loop could happen making the django website no
longer browsable.

Ensure redirection to the session expired page happens only once to
fix such issue.

This is better UX.

Antoine Lambert authored 10 months ago and Antoine Lambert committed 10 months ago

It adds some breaking API changes that needed to be handled in swh-auth
implementation and changed the package managing JWT from python-jose to
jwcrypto which is better maintained.

At the end of a auth-config command run, we ask the user if the newly
obtained token should be written on disk or discarded.

The default is to discard it (which seems a bit weird, but is not the
point here). Unlike what we do on write, where a green confirmation
message is displayed, we do not display any message when discarding.
So a user doing things a bit too fast can imagine that the update went
all fine as it just display a wall of green messages.

So we add a simple yellow message pointing out that we ultimately did
not write the new token. That should fix the problem.

Since the release of pytest 8.1, some pytest options are no longer
needed and editable install can be used when running tests using tox.

Keycloak got updated (3.9.1) to replace jose by jwcrypto.
Use a <3.9 constraint until we properly fix it to support jwcrypto.

Also add the dependency on python-jose since we actually import it
directly for now.

Related to swh/meta#5075.

Store authentication tokens in global configuration file with following
structure:

keycloak:
  client_id: swh-web
  realm_name: SoftwareHeritage
  server_url: https://auth.softwareheritage.org/auth/
keycloak_tokens:
  SoftwareHeritage:
    swh-web: xxxtokenxxx

Add configuration file argument to auth command group

Use keycloak default configuration and defaults method to load and merge
configuration (env > params > user configuration file > default auth
configuration > defaultvalues)

Add swh auth config command which can generate a token by providing a
username (password will be asked by a prompt), or verify a provided
token. If the token is valid user can save the authentication
configuration with token to authentication configuration file which
default to auth.yml

This is a follow up of D8909.
The set-token command prompt the user to fill a token if not provided by
args. It checks the token is valid and then write it to configuration
file.

Related T4590

It now needs types-click which is indeed a dependency of
swh.core[testing].

Django uses integer identifiers while keycloak uses UUIDs so add some
utility functions to convert back and forth between the two.

Previously the OpenID Connect backend was only allowing to provide
a refresh token in authorization header for convenient access token
renewal when querying a GraphQL service outside of a browser.

When one wants to query a GraphQL service inside a browser, the
access tokens are usually created and renewed client-side so also
allow to provide an access token in the authorization header.
In that case, the backend will simply try to decode it in order
to authenticate the user.

Related to swh-graphql#4652

GitLab will display the content of the README file when browsing the
repository. But in case the file is a symlink, it will display the
path pointed by the symlink. There is a 6 year old issue about this:
https://gitlab.com/gitlab-org/gitlab/-/issues/15093

We can workaround the issue by having the content at the root of the
repository and a symlink to this file in the `docs/` directory.

Tested in swh/devel/swh-py-template!27

swh-auth is compatible with latest django version so we can safely
remove the version restriction.

Related to swh-web#4734

Related to swh/meta#4960

Related to swh/meta#4959

accepts Keycloak server details and an aiocache cache instance
returns a starlette SimpleUser along with permissions

This fixes python 3.7 support due to poetry, a dependency of isort, that
removed support for that Python version in a recent release.

In order to remove warnings about /apidoc/*.rst files being included
multiple times in toc when building full swh documentation, prefer to
include module indices only when building standalone package documentation.

Also include them the proper sphinx way.

Related to T4496

- pre-commit from 4.1.0 to 4.3.0,
- codespell from 2.2.1 to 2.2.2,
- black from 22.3.0 to 22.10.0 and
- flake8 from 4.0.1 to 5.0.4. Also freeze flake8 dependencies.

Also change flake8's repo config to github (the gitlab mirror
being outdated).

It enables to align that parameter name with the one used in
django.contrib.auth.

The scope and state query parameters in the authorization URL are now
handled by the KeycloakOpenID.auth_url method since the release of
python-keycloak 1.8.1.

To keep backward compatibility with older python-keycloak versions, like
the one used in production, while ensuring support for recent ones we need
to ensure scope and state query parameters will be overridden if provided
in extra_params dict.