Add flag to say if user is eligible for WebAuthn

Currently we have some data-driven roles to say who can use this
feature. Adding a flag in the API means we can avoid API calls in
the Admin app to determine the same.

Allowing members of the GOV.UK Notify service to use the feature
is a workaround, so we can avoid making someone a Platform Admin
before they've protected their account with it.

tests/app/test_model.py

@@ -341,3 +341,17 @@ def test_template_folder_is_parent(sample_service):
     assert folders[0].is_parent_of(folders[4])
     assert folders[1].is_parent_of(folders[2])
     assert not folders[1].is_parent_of(folders[0])
+
+
+@pytest.mark.parametrize('is_platform_admin', (False, True))
+def test_user_can_use_webauthn_returns_false(sample_user, is_platform_admin):
+    sample_user.platform_admin = is_platform_admin
+    assert sample_user.can_use_webauthn == is_platform_admin
+
+
+def test_user_can_use_webauthn_if_in_broadcast_org(sample_broadcast_service):
+    assert sample_broadcast_service.users[0].can_use_webauthn
+
+
+def test_user_can_use_webauthn_if_in_notify_team(notify_service):
+    assert notify_service.users[0].can_use_webauthn

tests/app/user/test_rest.py

@@ -72,6 +72,7 @@ def test_get_user(admin_request, sample_service, sample_organisation):
     assert fetched['permissions'].keys() == {str(sample_service.id)}
     assert fetched['services'] == [str(sample_service.id)]
     assert fetched['organisations'] == [str(sample_organisation.id)]
+    assert fetched['can_use_webauthn'] is False
     assert sorted(fetched['permissions'][str(sample_service.id)]) == sorted(expected_permissions)