Mv auth to middleware, rework url patterns to regex

alukach · alukach · commit ab01ecaa4a4a · 2025-03-10T12:13:45.000-07:00
diff --git a/src/stac_auth_proxy/app.py b/src/stac_auth_proxy/app.py
@@ -32,7 +32,13 @@ def create_app(settings: Optional[Settings] = None) -> FastAPI:
     )
 
     app.add_middleware(AddProcessTimeHeaderMiddleware)
-    app.add_middleware(EnforceAuthMiddleware)
+    app.add_middleware(
+        EnforceAuthMiddleware,
+        public_endpoints=settings.public_endpoints,
+        private_endpoints=settings.private_endpoints,
+        default_public=settings.default_public,
+        oidc_config_url=settings.oidc_discovery_url,
+    )
 
     if settings.openapi_spec_endpoint:
         app.add_middleware(
diff --git a/src/stac_auth_proxy/config.py b/src/stac_auth_proxy/config.py
@@ -37,15 +37,15 @@ class Settings(BaseSettings):
     default_public: bool = False
     private_endpoints: EndpointMethods = {
         # https://github.com/stac-api-extensions/collection-transaction/blob/v1.0.0-beta.1/README.md#methods
-        "/collections": ["POST"],
-        "/collections/{collection_id}": ["PUT", "PATCH", "DELETE"],
+        r"^/collections$": ["POST"],
+        r"^/collections/([^/]+)$": ["PUT", "PATCH", "DELETE"],
         # https://github.com/stac-api-extensions/transaction/blob/v1.0.0-rc.3/README.md#methods
-        "/collections/{collection_id}/items": ["POST"],
-        "/collections/{collection_id}/items/{item_id}": ["PUT", "PATCH", "DELETE"],
+        r"^/collections/([^/]+)/items$": ["POST"],
+        r"^/collections/([^/]+)/items/([^/]+)$": ["PUT", "PATCH", "DELETE"],
         # https://stac-utils.github.io/stac-fastapi/api/stac_fastapi/extensions/third_party/bulk_transactions/#bulktransactionextension
-        "/collections/{collection_id}/bulk_items": ["POST"],
+        r"^/collections/([^/]+)/bulk_items$": ["POST"],
     }
-    public_endpoints: EndpointMethods = {"/api.html": ["GET"], "/api": ["GET"]}
+    public_endpoints: EndpointMethods = {r"^/api.html$": ["GET"], r"^/api$": ["GET"]}
     openapi_spec_endpoint: Optional[str] = None
 
     collections_filter: Optional[ClassInput] = None
diff --git a/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py b/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py
@@ -1,11 +1,147 @@
-# TODO
-from fastapi import Request, Response
-from starlette.middleware.base import BaseHTTPMiddleware
+from dataclasses import dataclass, field
+from typing import Annotated, Optional, Sequence
+import json
+import logging
+import urllib.request
 
+from fastapi import HTTPException, Security, security, status, Request
+from fastapi.security.base import SecurityBase
+from pydantic import HttpUrl
+from starlette.middleware.base import ASGIApp
+from starlette.responses import JSONResponse
+from starlette.types import ASGIApp, Message, Receive, Scope, Send
+import jwt
 
-class EnforceAuthMiddleware(BaseHTTPMiddleware):
+from ..config import EndpointMethods
+from ..utils.requests import matches_route
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class EnforceAuthMiddleware:
     """Middleware to enforce authentication."""
 
-    async def dispatch(self, request: Request, call_next) -> Response:
+    app: ASGIApp
+    private_endpoints: EndpointMethods
+    public_endpoints: EndpointMethods
+    default_public: bool
+
+    oidc_config_url: HttpUrl
+    openid_configuration_internal_url: Optional[HttpUrl] = None
+    allowed_jwt_audiences: Optional[Sequence[str]] = None
+
+    # Generated attributes
+    # auth_scheme: SecurityBase = field(init=False)
+    jwks_client: jwt.PyJWKClient = field(init=False)
+
+    def __post_init__(self):
+        """Initialize the OIDC authentication class."""
+        logger.debug("Requesting OIDC config")
+        origin_url = str(self.openid_configuration_internal_url or self.oidc_config_url)
+        with urllib.request.urlopen(origin_url) as response:
+            if response.status != 200:
+                logger.error(
+                    "Received a non-200 response when fetching OIDC config: %s",
+                    response.text,
+                )
+                raise OidcFetchError(
+                    f"Request for OIDC config failed with status {response.status}"
+                )
+            oidc_config = json.load(response)
+            self.jwks_client = jwt.PyJWKClient(oidc_config["jwks_uri"])
+
+        # self.auth_scheme = security.OpenIdConnect(
+        #     openIdConnectUrl=str(self.oidc_config_url),
+        #     auto_error=False,
+        # )
+
+    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
         """Enforce authentication."""
-        return await call_next(request)
+        if scope["type"] != "http":
+            return await self.app(scope, receive, send)
+
+        request = Request(scope)
+        try:
+            scope["user"] = self.validated_user(
+                request.headers.get("Authorization"),
+                security.SecurityScopes(scopes=["read"]),
+                auto_error=self.should_enforce_auth(request),
+            )
+        except HTTPException as e:
+            response = JSONResponse({"detail": e.detail}, status_code=e.status_code)
+            return await response(scope, receive, send)
+        return await self.app(scope, receive, send)
+
+    def should_enforce_auth(self, request: Request) -> bool:
+        """Determine if authentication should be required on a given request."""
+        # If default_public, we only enforce auth if the request is for an endpoint explicitly listed as private
+        if self.default_public:
+            return matches_route(request, self.private_endpoints)
+        # If not default_public, we enforce auth if the request is not for an endpoint explicitly listed as public
+        return not matches_route(request, self.public_endpoints)
+
+    def validated_user(
+        self,
+        auth_header: Annotated[str, Security(...)],
+        required_scopes: security.SecurityScopes,
+        auto_error: bool = True,
+    ):
+        """Dependency to validate an OIDC token."""
+        if not auth_header:
+            if auto_error:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="Not authenticated",
+                )
+            return None
+
+        # Extract token from header
+        token_parts = auth_header.split(" ")
+        if len(token_parts) != 2 or token_parts[0].lower() != "bearer":
+            logger.error(f"Invalid token: {auth_header}")
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Could not validate credentials",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+        [_, token] = token_parts
+
+        # Parse & validate token
+        try:
+            key = self.jwks_client.get_signing_key_from_jwt(token).key
+            payload = jwt.decode(
+                token,
+                key,
+                algorithms=["RS256"],
+                # NOTE: Audience validation MUST match audience claim if set in token (https://pyjwt.readthedocs.io/en/stable/changelog.html?highlight=audience#id40)
+                audience=self.allowed_jwt_audiences,
+            )
+        except (jwt.exceptions.InvalidTokenError, jwt.exceptions.DecodeError) as e:
+            logger.exception(f"InvalidTokenError: {e=}")
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Could not validate credentials",
+                headers={"WWW-Authenticate": "Bearer"},
+            ) from e
+
+        # Validate scopes (if required)
+        for scope in required_scopes.scopes:
+            if scope not in payload["scope"]:
+                if auto_error:
+                    raise HTTPException(
+                        status_code=status.HTTP_401_UNAUTHORIZED,
+                        detail="Not enough permissions",
+                        headers={
+                            "WWW-Authenticate": f'Bearer scope="{required_scopes.scope_str}"'
+                        },
+                    )
+                return None
+
+        return payload
+
+
+class OidcFetchError(Exception):
+    """Error fetching OIDC configuration."""
+
+    ...
diff --git a/src/stac_auth_proxy/utils/requests.py b/src/stac_auth_proxy/utils/requests.py
@@ -5,6 +5,7 @@
 from urllib.parse import urlparse
 
 from httpx import Headers
+from starlette.requests import Request
 
 
 def safe_headers(headers: Headers) -> dict[str, str]:
@@ -35,3 +36,21 @@ def extract_variables(url: str) -> dict:
 def dict_to_bytes(d: dict) -> bytes:
     """Convert a dictionary to a body."""
     return json.dumps(d, separators=(",", ":")).encode("utf-8")
+
+
+def matches_route(request: Request, url_patterns: dict[str, list[str]]) -> bool:
+    """
+    Returns True if the incoming request.path and request.method
+    match any of the patterns (and their methods) in url_patterns.
+    Otherwise returns False.
+    """
+    path = request.url.path  # e.g. '/collections/123'
+    method = request.method.casefold()  # e.g. 'post'
+
+    for pattern, allowed_methods in url_patterns.items():
+        if re.match(pattern, path) and method in [
+            m.casefold() for m in allowed_methods
+        ]:
+            return True
+
+    return False
diff --git a/tests/test_defaults.py b/tests/test_defaults.py
@@ -34,18 +34,18 @@
 )
 def test_default_public_true(source_api_server, path, method, expected_status):
     """
-    When default_public=true and private_endpoints aren't set, all endpoints should be
+    When default_public=true and private_endpoints are set, all endpoints should be
     public except for transaction endpoints.
     """
     test_app = app_factory(
         upstream_url=source_api_server,
         public_endpoints={},
         private_endpoints={
-            "/collections": ["POST"],
-            "/collections/{collection_id}": ["PUT", "PATCH", "DELETE"],
-            "/collections/{collection_id}/items": ["POST"],
-            "/collections/{collection_id}/items/{item_id}": ["PUT", "PATCH", "DELETE"],
-            "/collections/{collection_id}/bulk_items": ["POST"],
+            r"^/collections$": ["POST"],
+            r"^/collections/([^/]+)$": ["PUT", "PATCH", "DELETE"],
+            r"^/collections/([^/]+)/items$": ["POST"],
+            r"^/collections/([^/]+)/items/([^/]+)$": ["PUT", "PATCH", "DELETE"],
+            r"^/collections/([^/]+)/bulk_items$": ["POST"],
         },
         default_public=True,
     )
