feat: add eoapi-auth-util to stac api (#467)

Author: smohiudd

.example.env

@@ -32,6 +32,8 @@ VEDA_CLIENT_ID=
 VEDA_CLIENT_SECRET=secret
 VEDA_DATA_ACCESS_ROLE_ARN=
 VEDA_COGNITO_DOMAIN=
+VEDA_OPENID_CONFIGURATION_URL=
+VEDA_KEYCLOAK_CLIENT_ID=
 
 STAC_BROWSER_BUCKET=
 STAC_URL=

local/Dockerfile.stac

@@ -12,9 +12,6 @@ RUN pip install --upgrade pip
 RUN pip install boto3
 
 COPY stac_api/runtime /tmp/stac
-
-COPY common/auth /tmp/stac/common/auth
-RUN pip install /tmp/stac/common/auth
 RUN pip install /tmp/stac 
 RUN rm -rf /tmp/stac
 

stac_api/infrastructure/config.py

@@ -45,16 +45,9 @@ class vedaSTACSettings(BaseSettings):
         description="Description of the STAC Catalog",
     )
 
-    userpool_id: Optional[str] = Field(
-        None, description="The Cognito Userpool used for authentication"
-    )
-    cognito_domain: Optional[AnyHttpUrl] = Field(
-        None,
-        description="The base url of the Cognito domain for authorization and token urls",
-    )
-    client_id: Optional[str] = Field(None, description="The Cognito APP client ID")
-    client_secret: Optional[str] = Field(
-        "", description="The Cognito APP client secret"
+    keycloak_client_id: Optional[str] = Field(None, description="Auth client ID")
+    openid_configuration_url: Optional[AnyHttpUrl] = Field(
+        None, description="OpenID config url"
     )
     stac_enable_transactions: bool = Field(
         False, description="Whether to enable transactions endpoints"
@@ -69,10 +62,10 @@ def check_transaction_fields(cls, values):
         """
         Validates the existence of auth env vars in case stac_enable_transactions is True
         """
-        if values.get("stac_enable_transactions"):
+        if values.get("stac_enable_transactions") == "True":
             missing_fields = [
                 field
-                for field in ["userpool_id", "cognito_domain", "client_id"]
+                for field in ["keycloak_client_id", "openid_configuration_url"]
                 if not values.get(field)
             ]
             if missing_fields:

stac_api/infrastructure/construct.py

@@ -42,9 +42,10 @@ def __init__(
             "VEDA_STAC_PROJECT_DESCRIPTION": veda_stac_settings.project_description,
             "VEDA_STAC_ROOT_PATH": veda_stac_settings.stac_root_path,
             "VEDA_STAC_STAGE": stage,
-            "VEDA_STAC_USERPOOL_ID": veda_stac_settings.userpool_id,
-            "VEDA_STAC_CLIENT_ID": veda_stac_settings.client_id,
-            "VEDA_STAC_COGNITO_DOMAIN": str(veda_stac_settings.cognito_domain),
+            "VEDA_STAC_CLIENT_ID": veda_stac_settings.keycloak_client_id,
+            "VEDA_STAC_OPENID_CONFIGURATION_URL": str(
+                veda_stac_settings.openid_configuration_url
+            ),
             "VEDA_STAC_ENABLE_TRANSACTIONS": str(
                 veda_stac_settings.stac_enable_transactions
             ),

stac_api/runtime/Dockerfile

@@ -5,8 +5,6 @@ WORKDIR /tmp
 COPY stac_api/runtime /tmp/stac
 
 RUN pip install "mangum" "plpygis>=0.2.1" /tmp/stac -t /asset --no-binary pydantic
-COPY common/auth /tmp/stac/common/auth
-RUN pip install /tmp/stac/common/auth -t /asset
 RUN rm -rf /tmp/stac
 
 # Reduce package size and remove useless files

stac_api/runtime/setup.py

@@ -20,6 +20,7 @@
     "aws_xray_sdk>=2.6.0,<3",
     "pystac[validation]==1.10.1",
     "pydantic>2",
+    "eoapi-auth-utils==0.3.0",
 ]
 
 extra_reqs = {

stac_api/runtime/src/app.py

@@ -12,7 +12,6 @@
 from src.extension import TiTilerExtension
 
 from fastapi import APIRouter, FastAPI
-from fastapi.params import Depends
 from fastapi.responses import ORJSONResponse
 from stac_fastapi.pgstac.db import close_db_connection, connect_to_db
 from starlette.middleware import Middleware
@@ -25,9 +24,10 @@
 from .api import VedaStacApi
 from .core import VedaCrudClient
 from .monitoring import LoggerRouteHandler, logger, metrics, tracer
-from .routes import add_route_dependencies
 from .validation import ValidationMiddleware
 
+from eoapi.auth_utils import OpenIdConnectAuth, OpenIdConnectSettings
+
 try:
     from importlib.resources import files as resources_files  # type: ignore
 except ImportError:
@@ -38,6 +38,7 @@
 templates = Jinja2Templates(directory=str(resources_files(__package__) / "templates"))  # type: ignore
 
 tiles_settings = TilesApiSettings()
+auth_settings = OpenIdConnectSettings(_env_prefix="VEDA_STAC_")
 
 
 @asynccontextmanager
@@ -56,11 +57,12 @@ async def lifespan(app: FastAPI):
         root_path=api_settings.root_path,
         swagger_ui_init_oauth=(
             {
-                "appName": "Cognito",
-                "clientId": api_settings.client_id,
+                "appName": "STAC API",
+                "clientId": auth_settings.client_id,
                 "usePkceWithAuthorizationCodeGrant": True,
+                "scopes": "openid stac:item:create stac:item:update stac:item:delete stac:collection:create stac:collection:update stac:collection:delete",
             }
-            if api_settings.client_id
+            if auth_settings.client_id
             else {}
         ),
         lifespan=lifespan,
@@ -88,41 +90,35 @@ async def lifespan(app: FastAPI):
         allow_headers=["*"],
     )
 
-if api_settings.enable_transactions:
-    from veda_auth import VedaAuth
-
-    auth = VedaAuth(api_settings)
-    # Require auth for all endpoints that create, modify or delete data.
-    add_route_dependencies(
-        app.router.routes,
-        [
-            {"path": "/collections", "method": "POST", "type": "http"},
-            {"path": "/collections/{collectionId}", "method": "PUT", "type": "http"},
-            {"path": "/collections/{collectionId}", "method": "DELETE", "type": "http"},
-            {
-                "path": "/collections/{collectionId}/items",
-                "method": "POST",
-                "type": "http",
-            },
-            {
-                "path": "/collections/{collectionId}/items/{itemId}",
-                "method": "PUT",
-                "type": "http",
-            },
-            {
-                "path": "/collections/{collectionId}/items/{itemId}",
-                "method": "DELETE",
-                "type": "http",
-            },
-            {
-                "path": "/collections/{collectionId}/bulk_items",
-                "method": "POST",
-                "type": "http",
-            },
-        ],
-        [Depends(auth.validated_token)],
+if api_settings.enable_transactions and auth_settings.client_id:
+    oidc_auth = OpenIdConnectAuth(
+        openid_configuration_url=auth_settings.openid_configuration_url,
+        allowed_jwt_audiences="account",
     )
 
+    restricted_prefixes_methods = {
+        "/collections": [("POST", "stac:collection:create")],
+        "/collections/{collection_id}": [
+            ("PUT", "stac:collection:update"),
+            ("DELETE", "stac:collection:delete"),
+        ],
+        "/collections/{collection_id}/items": [("POST", "stac:item:create")],
+        "/collections/{collection_id}/items/{item_id}": [
+            ("PUT", "stac:item:update"),
+            ("DELETE", "stac:item:delete"),
+        ],
+        "/collections/{collection_id}/bulk_items": [("POST", "stac:item:create")],
+    }
+
+    for route in app.router.routes:
+        method_scopes = restricted_prefixes_methods.get(route.path)
+        if not method_scopes:
+            continue
+        for method, scope in method_scopes:
+            if method not in route.methods:
+                continue
+            oidc_auth.apply_auth_dependencies(route, required_token_scopes=[scope])
+
 if tiles_settings.titiler_endpoint:
     # Register to the TiTiler extension to the api
     extension = TiTilerExtension()

stac_api/runtime/src/config.py

@@ -7,7 +7,7 @@
 from typing import Optional
 
 import boto3
-from pydantic import AnyHttpUrl, Field, field_validator, model_validator
+from pydantic import AnyHttpUrl, Field, field_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 from fastapi.responses import ORJSONResponse
@@ -63,55 +63,14 @@ class _ApiSettings(BaseSettings):
     root_path: Optional[str] = None
     pgstac_secret_arn: Optional[str] = None
     stage: Optional[str] = None
-
-    userpool_id: Optional[str] = Field(
-        "", description="The Cognito Userpool used for authentication"
-    )
-    cognito_domain: Optional[AnyHttpUrl] = Field(
-        None,
-        description="The base url of the Cognito domain for authorization and token urls",
-    )
-    client_id: Optional[str] = Field(None, description="The Cognito APP client ID")
-    client_secret: Optional[str] = Field(
-        "", description="The Cognito APP client secret"
+    client_id: Optional[str] = Field(None, description="Auth client ID")
+    openid_configuration_url: Optional[AnyHttpUrl] = Field(
+        None, description="OpenID config url"
     )
     enable_transactions: bool = Field(
         False, description="Whether to enable transactions"
     )
 
-    @model_validator(mode="before")
-    def check_transaction_fields(cls, values):
-        enable_transactions = values.get("enable_transactions")
-
-        if enable_transactions:
-            missing_fields = [
-                field
-                for field in ["userpool_id", "cognito_domain", "client_id"]
-                if not values.get(field)
-            ]
-            if missing_fields:
-                raise ValueError(
-                    f"When 'enable_transactions' is True, the following fields must be provided: {', '.join(missing_fields)}"
-                )
-        return values
-
-    @property
-    def jwks_url(self) -> AnyHttpUrl:
-        """JWKS url"""
-        if self.userpool_id:
-            region = self.userpool_id.split("_")[0]
-            return f"https://cognito-idp.{region}.amazonaws.com/{self.userpool_id}/.well-known/jwks.json"
-
-    @property
-    def cognito_authorization_url(self) -> AnyHttpUrl:
-        """Cognito user pool authorization url"""
-        return f"{self.cognito_domain}/oauth2/authorize"
-
-    @property
-    def cognito_token_url(self) -> AnyHttpUrl:
-        """Cognito user pool token and refresh url"""
-        return f"{self.cognito_domain}/oauth2/token"
-
     @field_validator("cors_origins")
     @classmethod
     def parse_cors_origin(cls, v):

stac_api/runtime/src/routes.py

@@ -7,6 +7,7 @@
 """
 
 import os
+from unittest.mock import MagicMock, patch
 
 import pytest
 from httpx import ASGITransport, AsyncClient
@@ -224,13 +225,11 @@ def test_environ():
     os.environ["AWS_SECURITY_TOKEN"] = "testing"
     os.environ["AWS_SESSION_TOKEN"] = "testing"
     os.environ["AWS_REGION"] = "us-west-2"
-    os.environ["VEDA_STAC_USERPOOL_ID"] = "us-west-2_FAKEUSERPOOL"
     os.environ["VEDA_STAC_CLIENT_ID"] = "Xdjkfghadsfkdsadfjas"
-    os.environ["VEDA_STAC_CLIENT_SECRET"] = "dsakfjdsalfkjadslfjalksfj"
     os.environ[
-        "VEDA_STAC_COGNITO_DOMAIN"
-    ] = "https://fake.auth.us-west-2.amazoncognito.com"
-    os.environ["VEDA_STAC_ENABLE_TRANSACTIONS"] = "TRUE"
+        "VEDA_STAC_OPENID_CONFIGURATION_URL"
+    ] = "https://example.com/.well-known/openid-configuration"
+    os.environ["VEDA_STAC_ENABLE_TRANSACTIONS"] = "True"
 
     # Config mocks
     os.environ["POSTGRES_USER"] = "username"
@@ -251,6 +250,28 @@ def override_validated_token():
     return "fake_token"
 
 
+def override_jwks_client():
+    """
+    Mock function to override jwks uri.
+
+    Returns:
+        str: A fake jwks url.
+    """
+    return "https://example.com/jwks"
+
+
+@pytest.fixture(autouse=True)
+def mock_auth():
+    """Mock the OpenIdConnectAuth class to bypass actual OIDC calls."""
+    with patch("eoapi.auth_utils.OpenIdConnectAuth") as mock:
+        # Create a mock instance
+        mock_instance = MagicMock()
+        mock_instance.valid_token_dependency = override_validated_token
+        mock_instance.jwks_client = override_jwks_client
+        mock.return_value = mock_instance
+        yield mock_instance
+
+
 @pytest.fixture
 async def app():
     """
@@ -286,9 +307,11 @@ async def api_client(app):
     Yields:
         TestClient: The TestClient instance for API testing.
     """
-    from src.app import auth
+    from src.app import oidc_auth
 
-    app.dependency_overrides[auth.validated_token] = override_validated_token
+    app.dependency_overrides[
+        oidc_auth.valid_token_dependency
+    ] = override_validated_token
     base_url = "http://test"
 
     async with AsyncClient(