Rework custom integration

Author: alukach

examples/custom-integration/Dockerfile

@@ -1,5 +1,6 @@
-FROM ghcr.io/developmentseed/stac-auth-proxy:0.1.2
+ARG STAC_AUTH_PROXY_VERSION
+FROM ghcr.io/developmentseed/stac-auth-proxy:${STAC_AUTH_PROXY_VERSION}
 
-ADD . /opa
+ADD . /opt/stac-auth-proxy-integration
 
-RUN pip install /opa
+RUN pip install /opt/stac-auth-proxy-integration

examples/custom-integration/README.md

@@ -1,27 +1,11 @@
-# Open Policy Agent (OPA) Integration
+# Custom Integration Example
 
-This example demonstrates how to integrate with an Open Policy Agent (OPA) to authorize requests to a STAC API.
+This example demonstrates how to integrate with a custom filter generator.
 
 ## Running the Example
 
 From the root directory, run:
 
 ```sh
-docker compose -f docker-compose.yaml -f examples/opa/docker-compose.yaml up
+docker compose -f docker-compose.yaml -f examples/custom-integration/docker-compose.yaml up
 ```
-
-## Testing OPA
-
-```sh
-▶ curl -X POST "http://localhost:8181/v1/data/stac/cql2" \
-  -H "Content-Type: application/json" \
-  -d '{"input":{"payload": null}}'
-{"result":"private = true"}
-```
-
-```sh
-▶ curl -X POST "http://localhost:8181/v1/data/stac/cql2" \
-  -H "Content-Type: application/json" \
-  -d '{"input":{"payload": {"sub": "user1"}}}'
-{"result":"1=1"}
-```

examples/custom-integration/docker-compose.yaml

@@ -1,30 +1,12 @@
+# This compose file is intended to be run alongside the `docker-compose.yaml` file in the
+# root directory.
+
 services:
   proxy:
-    depends_on:
-      - stac
-      - opa
     build:
-      context: examples/opa
-    # environment:
-    #   UPSTREAM_URL: ${UPSTREAM_URL:-http://stac:8001}
-    #   OIDC_DISCOVERY_URL: ${OIDC_DISCOVERY_URL:-http://localhost:8888/.well-known/openid-configuration}
-    #   OIDC_DISCOVERY_INTERNAL_URL: ${OIDC_DISCOVERY_INTERNAL_URL:-http://oidc:8888/.well-known/openid-configuration}
-    #   ITEMS_FILTER_CLS: opa_integration:OpaIntegration
-    #   ITEMS_FILTER_ARGS: '["http://opa:8181", "stac/cql2"]'
-    env_file:
-      - path: .env
-        required: false
-    ports:
-      - "8000:8000"
-    volumes:
-      - ./src:/app/src
-
-  opa:
-    image: openpolicyagent/opa:latest
-    command: "run --server --addr=:8181 --watch /policies"
-    ports:
-      - "8181:8181"
-    volumes:
-      - ./examples/opa/policies:/policies
-    depends_on:
-      - stac
+      context: examples/custom-integration
+      args:
+        STAC_AUTH_PROXY_VERSION: 0.1.2
+    environment:
+      ITEMS_FILTER_CLS: custom_integration:cql2_builder
+      ITEMS_FILTER_KWARGS: '{"admin_user": "user123"}'

examples/custom-integration/policies/stac/policy.rego

@@ -0,0 +1,29 @@
+"""
+A custom integration example.
+
+In this example, we're intentionally using a functional pattern but you could also use a
+class like we do in the integrations found in stac_auth_proxy.filters.
+"""
+
+from typing import Any
+
+
+def cql2_builder(admin_user: str):
+    """CQL2 builder integration filter."""
+    # NOTE: This is where you would set up things like connection pools.
+    # NOTE: args/kwargs are passed in via environment variables.
+
+    def custom_integration_filter(ctx: dict[str, Any]) -> str:
+        """
+        Generate CQL2 expressions based on the request context.
+
+        Returns a CQL2 expression, either as a string (cql2-text) or as a dict (cql2-json).
+        """
+        # NOTE: This is where you would perform a lookup from a database, API, etc.
+        # NOTE: ctx is the request context, which includes the payload, headers, etc.
+
+        if ctx["payload"]["sub"] == admin_user:
+            return "1=1"
+        return "private = true"
+
+    return custom_integration_filter