feat: add eoapi auth utils to ingest api (#478)

Author: smohiudd

.example.env

@@ -33,7 +33,8 @@ VEDA_CLIENT_SECRET=secret
 VEDA_DATA_ACCESS_ROLE_ARN=
 VEDA_COGNITO_DOMAIN=
 VEDA_OPENID_CONFIGURATION_URL=
-VEDA_KEYCLOAK_CLIENT_ID=
+VEDA_KEYCLOAK_STAC_API_CLIENT_ID=
+VEDA_KEYCLOAK_INGEST_API_CLIENT_ID=
 
 STAC_BROWSER_BUCKET=
 STAC_URL=

.github/workflows/pr.yml

@@ -80,9 +80,6 @@ jobs:
       - name: Install reqs for stac api
         run: python -m pip install stac_api/runtime/
 
-      - name: Install veda auth for ingest api
-        run: python -m pip install common/auth
-
       - name: Ingest unit tests
         run: NO_PYDANTIC_SSM_SETTINGS=1 python -m pytest ingest_api/runtime/tests/ -vv -s
 

ingest_api/infrastructure/config.py

@@ -39,15 +39,6 @@ class IngestorConfig(BaseSettings):
         ),
         default_factory=getuser,
     )
-
-    userpool_id: str = Field(description="The Cognito Userpool used for authentication")
-    client_id: str = Field(description="The Cognito APP client ID")
-    client_secret: Optional[str] = Field(
-        "", description="The Cognito APP client secret"
-    )
-    cognito_domain: AnyHttpUrl = Field(
-        description="The base url of the Cognito domain for authorization and token urls"
-    )
     stac_db_security_group_id: str = Field(
         description="ID of Security Group used by pgSTAC DB"
     )
@@ -94,6 +85,10 @@ class IngestorConfig(BaseSettings):
         False,
         description="Boolean to disable default API gateway endpoints for stac, raster, and ingest APIs. Defaults to false.",
     )
+
+    keycloak_ingest_api_client_id: str = Field(description="Auth client ID")
+
+    openid_configuration_url: AnyHttpUrl = Field(description="OpenID config url")
     model_config = SettingsConfigDict(
         case_sensitive=False, env_file=".env", env_prefix="VEDA_", extra="ignore"
     )

ingest_api/infrastructure/construct.py

@@ -4,7 +4,6 @@
 from aws_cdk import CfnOutput, Duration, RemovalPolicy, Stack
 from aws_cdk import aws_apigateway as apigateway
 from aws_cdk import aws_apigatewayv2_alpha, aws_apigatewayv2_integrations_alpha
-from aws_cdk import aws_cognito as cognito
 from aws_cdk import aws_dynamodb as dynamodb
 from aws_cdk import aws_ec2 as ec2
 from aws_cdk import aws_iam as iam
@@ -31,10 +30,6 @@ def __init__(
         super().__init__(scope, construct_id, **kwargs)
 
         self.table = self.build_table()
-        self.user_pool = cognito.UserPool.from_user_pool_id(
-            self, "cognito-user-pool", config.userpool_id
-        )
-        self.jwks_url = self.build_jwks_url(config.userpool_id)
         db_security_group = ec2.SecurityGroup.from_security_group_id(
             self,
             "db-security-group",
@@ -43,21 +38,17 @@ def __init__(
 
         lambda_env = {
             "DYNAMODB_TABLE": self.table.table_name,
-            "JWKS_URL": self.jwks_url,
             "NO_PYDANTIC_SSM_SETTINGS": "1",
             "STAC_URL": config.veda_stac_api_cf_url,
-            "USERPOOL_ID": config.userpool_id,
-            "CLIENT_ID": config.client_id,
-            "CLIENT_SECRET": config.client_secret,
             "RASTER_URL": config.veda_raster_api_cf_url,
             "ROOT_PATH": config.ingest_root_path,
             "STAGE": config.stage,
-            "COGNITO_DOMAIN": str(config.cognito_domain),
+            "CLIENT_ID": config.keycloak_ingest_api_client_id,
+            "OPENID_CONFIGURATION_URL": str(config.openid_configuration_url),
         }
 
         build_api_lambda_params = {
             "table": self.table,
-            "user_pool": self.user_pool,
             "db_secret": db_secret,
             "db_vpc": db_vpc,
             "db_security_group": db_security_group,
@@ -115,7 +106,6 @@ def build_api_lambda(
         *,
         table: dynamodb.ITable,
         env: Dict[str, str],
-        user_pool: cognito.IUserPool,
         db_secret: secretsmanager.ISecret,
         db_vpc: ec2.IVpc,
         db_security_group: ec2.ISecurityGroup,
@@ -164,14 +154,6 @@ def build_api_lambda(
                 handler.grant_principal,
                 "sts:AssumeRole",
             )
-
-        handler.add_to_role_policy(
-            iam.PolicyStatement(
-                actions=["cognito-idp:AdminInitiateAuth"],
-                resources=[user_pool.user_pool_arn],
-            )
-        )
-
         # Allow handler to read DB secret
         db_secret.grant_read(handler)
 
@@ -216,13 +198,6 @@ def build_api(
             disable_execute_api_endpoint=disable_default_apigw_endpoint,
         )
 
-    def build_jwks_url(self, userpool_id: str) -> str:
-        region = userpool_id.split("_")[0]
-        return (
-            f"https://cognito-idp.{region}.amazonaws.com"
-            f"/{userpool_id}/.well-known/jwks.json"
-        )
-
     # item ingest table, comsumed by ingestor
     def build_table(self) -> dynamodb.ITable:
         table = dynamodb.Table(
@@ -260,9 +235,6 @@ def __init__(
             "DYNAMODB_TABLE": table.table_name,
             "NO_PYDANTIC_SSM_SETTINGS": "1",
             "STAC_URL": config.veda_stac_api_cf_url,
-            "USERPOOL_ID": config.userpool_id,
-            "CLIENT_ID": config.client_id,
-            "CLIENT_SECRET": config.client_secret,
             "RASTER_URL": config.veda_raster_api_cf_url,
         }
 

ingest_api/runtime/Dockerfile

@@ -5,10 +5,6 @@ RUN echo "Using PGSTAC Version ${PGSTAC_VERSION}"
 
 WORKDIR /tmp
 
-COPY common/auth /tmp/common/auth
-RUN pip install /tmp/common/auth -t /asset
-RUN rm -rf /tmp/common
-
 COPY ingest_api/runtime/requirements.txt /tmp/ingestor/requirements.txt
 RUN pip install -r /tmp/ingestor/requirements.txt pypgstac==${PGSTAC_VERSION} -t /asset --no-binary pydantic uvicorn
 RUN rm -rf /tmp/ingestor

ingest_api/runtime/requirements.txt

@@ -14,3 +14,4 @@ boto3==1.24.59
 aws_xray_sdk>=2.6.0,<3
 aws-lambda-powertools>=1.18.0
 pydantic-settings>=2.4.1
+eoapi-auth-utils==0.3.0

ingest_api/runtime/src/auth.py

@@ -0,0 +1,25 @@
+from typing import Any, Dict
+
+from typing_extensions import Annotated
+
+from fastapi import Depends
+
+from eoapi.auth_utils import OpenIdConnectAuth, OpenIdConnectSettings
+
+auth_settings = OpenIdConnectSettings(_env_prefix="")
+
+oidc_auth = OpenIdConnectAuth(
+    openid_configuration_url=auth_settings.openid_configuration_url,
+    allowed_jwt_audiences="account",
+)
+
+
+def get_username(
+    token: Annotated[Dict[Any, Any], Depends(oidc_auth.valid_token_dependency)],
+) -> str:
+    result = (
+        token["preferred_username"]
+        if "preferred_username" in token
+        else str(token.get("sub"))
+    )
+    return result

ingest_api/runtime/src/config.py

@@ -1,21 +1,15 @@
 from typing import Optional
 
-from pydantic import AnyHttpUrl, ConfigDict, Field, StringConstraints
+from pydantic import AnyHttpUrl, Field, StringConstraints
 from pydantic_settings import BaseSettings
 from typing_extensions import Annotated
-from veda_auth import VedaAuth
 
 AwsArn = Annotated[str, StringConstraints(pattern=r"^arn:aws:iam::\d{12}:role/.+")]
 
 
 class Settings(BaseSettings):
     dynamodb_table: str
 
-    jwks_url: Optional[AnyHttpUrl] = Field(
-        None,
-        description="URL of JWKS, e.g. https://cognito-idp.{region}.amazonaws.com/{userpool_id}/.well-known/jwks.json",  # noqa
-    )
-
     data_access_role_arn: Optional[AwsArn] = Field(  # type: ignore
         None, description="ARN of AWS Role used to validate access to S3 data"
     )
@@ -26,33 +20,8 @@ class Settings(BaseSettings):
     )
 
     stac_url: AnyHttpUrl = Field(description="URL of STAC API")
-
-    userpool_id: str = Field(description="The Cognito Userpool used for authentication")
-
-    cognito_domain: Optional[AnyHttpUrl] = Field(
-        None,
-        description="The base url of the Cognito domain for authorization and token urls",
-    )
-    client_id: str = Field(None, description="The Cognito APP client ID")
-    client_secret: str = Field("", description="The Cognito APP client secret")
     root_path: Optional[str] = None
     stage: Optional[str] = Field(None, description="API stage")
 
-    @property
-    def cognito_authorization_url(self) -> AnyHttpUrl:
-        """Cognito user pool authorization url"""
-        return f"{self.cognito_domain}/oauth2/authorize"
-
-    @property
-    def cognito_token_url(self) -> AnyHttpUrl:
-        """Cognito user pool token and refresh url"""
-        return f"{self.cognito_domain}/oauth2/token"
-
-    model_config = ConfigDict(
-        env_file=".env", env_file_encoding="utf-8", extra="ignore"
-    )
-
 
 settings = Settings()
-
-auth = VedaAuth(settings)

ingest_api/runtime/src/dependencies.py

@@ -2,14 +2,13 @@
 
 import boto3
 import src.services as services
-from src.config import auth, settings
+from src.auth import get_username
+from src.config import settings
 
-from fastapi import Depends, HTTPException, security
+from fastapi import Depends, HTTPException
 
 logger = logging.getLogger(__name__)
 
-token_scheme = security.HTTPBearer()
-
 
 def get_table():
     client = boto3.resource("dynamodb")
@@ -23,7 +22,7 @@ def get_db(table=Depends(get_table)) -> services.Database:
 def fetch_ingestion(
     ingestion_id: str,
     db: services.Database = Depends(get_db),
-    username: str = Depends(auth.get_username),
+    username: str = Depends(get_username),
 ):
     try:
         return db.fetch_one(username=username, ingestion_id=ingestion_id)