feat(stac)!: experimenting with stac auth proxy configure_app

.github/workflows/data/barc-thomasfire.json

@@ -0,0 +1,133 @@
+{
+    "id": "barc-thomasfire",
+    "type": "Collection",
+    "links": [
+        {
+            "rel": "items",
+            "type": "application/geo+json",
+            "href": "https://dev.openveda.cloud/api/stac/collections/barc-thomasfire/items"
+        },
+        {
+            "rel": "parent",
+            "type": "application/json",
+            "href": "https://dev.openveda.cloud/api/stac/"
+        },
+        {
+            "rel": "root",
+            "type": "application/json",
+            "href": "https://dev.openveda.cloud/api/stac/"
+        },
+        {
+            "rel": "self",
+            "type": "application/json",
+            "href": "https://dev.openveda.cloud/api/stac/collections/barc-thomasfire"
+        },
+        {
+            "rel": "items",
+            "href": "https://dev.openveda.cloud/api/stac/collections/barc-thomasfire/items",
+            "type": "application/geo+json"
+        },
+        {
+            "rel": "http://www.opengis.net/def/rel/ogc/1.0/queryables",
+            "href": "https://dev.openveda.cloud/api/stac/collections/barc-thomasfire/queryables",
+            "type": "application/schema+json",
+            "title": "Queryables"
+        },
+        {
+            "rel": "http://www.opengis.net/def/rel/ogc/1.0/queryables",
+            "type": "application/schema+json",
+            "title": "Queryables",
+            "href": "https://dev.openveda.cloud/api/stac/collections/barc-thomasfire/queryables"
+        }
+    ],
+    "title": "Burn Area Reflectance Classification for Thomas Fire",
+    "extent": {
+        "spatial": {
+            "bbox": [
+                [
+                    -119.7279834250452,
+                    34.19572604525683,
+                    -118.88724142537933,
+                    34.72668711929945
+                ]
+            ]
+        },
+        "temporal": {
+            "interval": [
+                [
+                    "2017-12-01T00:00:00+00:00",
+                    "2017-12-31T00:00:00+00:00"
+                ]
+            ]
+        }
+    },
+    "license": "CC0-1.0",
+    "renders": {
+        "dashboard": {
+            "title": "VEDA Dashboard Render Parameters",
+            "assets": [
+                "cog_default"
+            ],
+            "nodata": "nan",
+            "rescale": [
+                [
+                    1,
+                    4
+                ]
+            ],
+            "colormap_name": "rdylgn_r"
+        }
+    },
+    "providers": [
+        {
+            "url": "https://burnseverity.cr.usgs.gov/products/baer",
+            "name": "USGS Burnt Area Emergency Response (BAER)",
+            "roles": [
+                "producer"
+            ]
+        },
+        {
+            "url": "https://www.earthdata.nasa.gov/dashboard/",
+            "name": "NASA VEDA",
+            "roles": [
+                "host"
+            ]
+        },
+        {
+            "url": "https://www.earthdata.nasa.gov/dashboard/",
+            "name": "NASA VEDA",
+            "roles": [
+                "processor"
+            ]
+        }
+    ],
+    "summaries": {
+        "datetime": [
+            "2017-12-01T00:00:00Z"
+        ],
+        "cog_default": {
+            "max": 4,
+            "min": 1
+        }
+    },
+    "description": "Burn Area Reflectance Classification (BARC) from the Burned Area Emergency Response (BAER) program for Thomas fire, 2017",
+    "item_assets": {
+        "cog_default": {
+            "type": "image/tiff; application=geotiff; profile=cloud-optimized",
+            "roles": [
+                "data",
+                "layer"
+            ],
+            "title": "Default COG Layer",
+            "description": "Cloud optimized default layer to display on map"
+        }
+    },
+    "stac_version": "1.0.0",
+    "stac_extensions": [
+        "https://stac-extensions.github.io/render/v1.0.0/schema.json",
+        "https://stac-extensions.github.io/item-assets/v1.0.0/schema.json"
+    ],
+    "dashboard:is_periodic": false,
+    "dashboard:time_density": null,
+    "dashboard:tenant": "different-tenant"
+}

.github/workflows/data/noaa-emergency-response.json

@@ -24,5 +24,6 @@
                 ]
             ]
         }
-    }
+    },
+    "dashboard:tenant": "fake-tenant"
 }

docker-compose.yml

@@ -30,14 +30,18 @@ services:
       # https://github.com/developmentseed/eoAPI/issues/16
       # - TITILER_ENDPOINT=raster
       - TITILER_ENDPOINT=http://0.0.0.0:8082
-      - VEDA_STAC_ENABLE_TRANSACTIONS=True
+      - VEDA_STAC_ROOT_PATH=
+      - VEDA_STAC_OPENID_CONFIGURATION_URL=https://example.com/.well-known/openid-configuration
+      - VEDA_STAC_ENABLE_TRANSACTIONS=False
+
     depends_on:
       - database
       - raster
     command: bash -c "bash /tmp/scripts/wait-for-it.sh -t 120 -h database -p 5432 && /start.sh"
     volumes:
       - ./scripts:/tmp/scripts
 
+
   raster:
     container_name: veda.raster
     platform: linux/amd64

stac_api/runtime/setup.py

@@ -14,14 +14,14 @@
     "stac-fastapi.extensions~=5.0",
     "stac-fastapi.pgstac>=5.0.3,<6.0",
     "jinja2>=2.11.2,<4.0.0",
-    "starlette-cramjam>=0.3.2,<0.4",
     "importlib_resources>=1.1.0;python_version<='3.11'",  # https://github.com/cogeotiff/rio-tiler/pull/379
     "pygeoif<=0.8",  # newest release (1.0+ / 09-22-2022) breaks a number of other geo libs
     "aws-lambda-powertools>=1.18.0",
     "aws_xray_sdk>=2.6.0,<3",
     "pystac[validation]==1.10.1",
     "pydantic>2",
     "eoapi-auth-utils==0.3.0",
+    "stac-auth-proxy==0.9.2",
 ]
 
 extra_reqs = {

stac_api/runtime/src/app.py

@@ -15,6 +15,7 @@
     post_request_model,
 )
 from src.extension import TiTilerExtension
+from stac_auth_proxy import configure_app
 
 from fastapi import APIRouter, FastAPI
 from fastapi.responses import ORJSONResponse
@@ -25,10 +26,10 @@
 from starlette.requests import Request
 from starlette.responses import HTMLResponse, JSONResponse
 from starlette.templating import Jinja2Templates
-from starlette_cramjam.middleware import CompressionMiddleware
 
 from .core import VedaCrudClient
 from .monitoring import LoggerRouteHandler, logger, metrics, tracer
+from .tenant_filter_middleware import TenantFilterMiddleware
 from .validation import ValidationMiddleware
 
 from eoapi.auth_utils import OpenIdConnectAuth, OpenIdConnectSettings
@@ -82,10 +83,26 @@ async def lifespan(app: FastAPI):
     collections_get_request_model=collections_get_request_model,
     items_get_request_model=items_get_request_model,
     response_class=ORJSONResponse,
-    middlewares=[Middleware(CompressionMiddleware), Middleware(ValidationMiddleware)],
+    middlewares=[Middleware(ValidationMiddleware), Middleware(TenantFilterMiddleware)],
     router=APIRouter(route_class=LoggerRouteHandler),
 )
-app = api.app
+
+if (
+    auth_settings.openid_configuration_url
+    and auth_settings.openid_configuration_internal_url
+):
+    # Use stac-auth-proxy when authentication is enabled, which it will be for production envs
+    app = configure_app(
+        api.app,
+        upstream_url=(api_settings.custom_host + (api_settings.root_path or "")),
+        oidc_discovery_url=str(auth_settings.openid_configuration_url),
+        oidc_discovery_internal_url=str(auth_settings.openid_configuration_url),
+        default_public=True,
+        root_path=api_settings.root_path,
+    )
+else:
+    # Use standard FastAPI app when authentication is disabled, for testing
+    app = api.app
 
 # Set all CORS enabled origins
 if api_settings.cors_origins:
@@ -132,6 +149,13 @@ async def lifespan(app: FastAPI):
     extension.register(api.app, tiles_settings.titiler_endpoint)
 
 
+# Add health endpoint for testing
+@app.get("/_mgmt/ping")
+async def health_check():
+    """Health check endpoint for testing."""
+    return {"status": "ok", "message": "pong"}
+
+
 @app.get("/index.html", response_class=HTMLResponse)
 async def viewer_page(request: Request):
     """Search viewer."""

stac_api/runtime/src/config.py

@@ -85,6 +85,11 @@ class _ApiSettings(Settings):
     enable_transactions: bool = Field(
         False, description="Whether to enable transactions"
     )
+    swagger_ui_endpoint: str = "/docs"
+    openapi_spec_endpoint: str = "/openapi.json"
+    custom_host: Optional[str] = Field(
+        "http://localhost:8081", description="Custom host URL"
+    )
 
     @field_validator("cors_origins")
     @classmethod

stac_api/runtime/src/monitoring.py

@@ -1,5 +1,6 @@
 """Observability utils"""
 import json
+import logging
 from typing import Callable
 
 from aws_lambda_powertools import Logger, Metrics, Tracer, single_metric
@@ -16,6 +17,9 @@
 metrics.set_default_dimensions(environment=settings.stage, service="stac-api")
 tracer: Tracer = Tracer()
 
+logging.getLogger().setLevel(logging.DEBUG)
+logging.getLogger("stac-auth-proxy").setLevel(logging.DEBUG)
+
 
 class LoggerRouteHandler(APIRoute):
     """Extension of base APIRoute to add context to log statements, as well as record usage metrics"""