Restrict resource templates to specific roles

[tanya-borisova]

Resolves #2600

What is being addressed

Add ability to restrict certain user resource templates to be used by certain roles.
This is primarily needed for Airlock Reviews, where the Reviewer should not be able to use user resource templates intended for Researchers. However, it might be used in the future for other resource templates.

How is this addressed

• Add authorizedRoles field to resource template
• In POST requests for all types of resources, check if the authenticated user has at least one role in the authorizedRoles (if authorizedRoles is not empty, otherwise all roles will be assumed authorized)
• in GET requests to list shared service templates and workspace templates, add a parameter authorized_only (defaulting to False). If true, only return list of templates that the authenticated user is authorized to use. Intended to be used from the UI to reduce a chance a user tries to create a resource they aren't authorized to (and getting an error)
• Added new GET requests to list workspace service templates and user resource templates on Workspace router, which automatically only returns the templates that the user is allowed to see

Note that the template.authorizedRoles are only checked on creation of the resource. This is intentional although may appear somewhat inconsistent

[github-actions]

Unit Test Results

510 tests   510 ✔️  12s ⏱️
    1 suites      0 💤
    1 files        0 ❌

Results for commit 825c076.

♻️ This comment has been updated with latest results.

[tanya-borisova]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3093679398 (with refid dd6692a5)

(in response to this comment from @tanya-borisova)

[tanya-borisova]

/test-destroy-env

[github-actions]

Destroying branch test environment (RG: rg-tre1b5504b3)... (run: https://github.com/microsoft/AzureTRE/actions/runs/3095882735)

[github-actions]

Branch test environment destroy complete (RG: rg-tre1b5504b3)

[github-actions]

Destroying PR test environment (RG: rg-tredd6692a5)... (run: https://github.com/microsoft/AzureTRE/actions/runs/3095882735)

[tanya-borisova]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3095968260 (with refid dd6692a5)

(in response to this comment from @tanya-borisova)

[github-actions]

PR test environment destroy complete (RG: rg-tredd6692a5)

[tanya-borisova]

/test-destroy-env

[github-actions]

Branch test environment destroy complete (RG: rg-tre1b5504b3)

[github-actions]

PR test environment destroy complete (RG: rg-tredd6692a5)

[tanya-borisova]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3098525208 (with refid dd6692a5)

(in response to this comment from @tanya-borisova)

[tanya-borisova]

/test-destroy-env

[github-actions]

Destroying branch test environment (RG: rg-tre1b5504b3)... (run: https://github.com/microsoft/AzureTRE/actions/runs/3100304315)

[github-actions]

Branch test environment destroy complete (RG: rg-tre1b5504b3)

[github-actions]

Destroying PR test environment (RG: rg-tredd6692a5)... (run: https://github.com/microsoft/AzureTRE/actions/runs/3100304315)

[github-actions]

PR test environment destroy complete (RG: rg-tredd6692a5)

[tanya-borisova]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3100722085 (with refid dd6692a5)

(in response to this comment from @tanya-borisova)

[tanya-borisova]

Moved it back to draft temporarily as @damoodamoo pointed out that there's a problem: the GET methods for templates are on the root router so we won't get workspace-level roles there.
I'm going to mitigate this by having a separate GET method on the workspace router that will be used from the UI with an intention to display to user only the templates that they can deploy

[tanya-borisova]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3106126999 (with refid dd6692a5)

(in response to this comment from @tanya-borisova)

[tanya-borisova]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3106591276 (with refid dd6692a5)

(in response to this comment from @tanya-borisova)