Consent BB API v0.9.0-rc1

[benjaoming]

[This PR captures the work laid out for review of the Consent Management BB v0.9.0-rc1]

Rendered OpenAPI spec: https://app.swaggerhub.com/apis/benjaminbalder/ConsentManagementBB/0.8.1#/Signature

PR consists of:

• CSV exports of endpoints written in API draft Google Spreadsheet
• CSV exports of schemas written in API draft Google Spreadsheet
• Python script for generating an OpenAPI YAML spec
• JSON API spec, artifact imported from SwaggerHub.
• Agreement schema from ADA project
• Populate all schemas with known fields so far
• Map out fields from Kantara spec
• Map out fields from other ISO specs
• Discuss and possibly add additional schemas (Controller, Signature, AgreementLifecycle, Purpose)
• Move principle-id out of URL paths (because it's sensitive) Concern will not be addressed, there are many other exposures of PII in API calls
• Explicitly defining security layers (but which?)
• Naming conventions (need to adjust a few things)
• Standard of HTTP methods (GET/POST/PUT/DELETE)
• Query resource patterns:
  • Partial resource representation
  • attribute filtering
  • pagination (iterators)
  • sorting
• Responses and exception codes (do we define those? Some a generic/trivial, but we might be able to uncover more consent-related exceptions, too)
• Named query parameters and operators (instead of just a subbed Filter schema)
• Understanding of async functionality: Monitor and notification patterns
• Events happening through TMF Event schema? (I don't see the value nor understand if this is a mandatory component of Part 1)
• Names of endpoints: org, individual, auditor, dataconsumer, notification, callback
• Multiple signatures to authorize a ConsentRecord (individidual + health care worker)
• Add a "state" to ConsentRecord
• Add timestamps and hashes (for verification) to everything [added by means of Revision and Signature]
• Implement return values types of endpoints, special attention to SchemaName<List>
• CRUDL for trivial models: AgreementData, AuditEventType
• How do we obtain signatures - are they embedded into the API endpoint calls?
• Track custom extensions via for instance x-govstack-sensitivity and x-govstack-iso-mapping
• IAM/RBAC in security section (OAuth2?)
• Optional query parameters are marked as required - they should be optional

Opening PR for internal work group coordination, this is not yet ready for reviews.

This PR is ready for a review, but keep in mind that some things from the above task list will remain to be solved in future PRs.

Other notes:

• We may want a state diagram for Consent Records