Working

Author: alukach

src/stac_auth_proxy/app.py

@@ -79,6 +79,7 @@ def create_app(settings: Optional[Settings] = None) -> FastAPI:
         default_public=settings.default_public,
         public_endpoints=settings.public_endpoints,
         private_endpoints=settings.private_endpoints,
+        oidc_config_url=settings.oidc_discovery_internal_url,
     )
 
     if settings.openapi_spec_endpoint:

src/stac_auth_proxy/config.py

@@ -46,7 +46,7 @@ class Settings(BaseSettings):
     openapi_spec_endpoint: Optional[str] = Field(pattern=_PREFIX_PATTERN, default=None)
 
     signer_endpoint: Optional[str] = Field(pattern=_PREFIX_PATTERN, default=None)
-    signer_asset_expression: str = Field(default=r".*")
+    signer_asset_expression: str = Field(default=r"^s3://.*$")
 
     # Auth
     default_public: bool = False

src/stac_auth_proxy/middleware/AuthenticationExtensionMiddleware.py

@@ -2,11 +2,13 @@
 
 import logging
 import re
-from dataclasses import dataclass
+from dataclasses import dataclass, field
 from itertools import chain
 from typing import Any, Optional
 from urllib.parse import urlparse
 
+import httpx
+from pydantic import HttpUrl
 from starlette.requests import Request
 from starlette.types import ASGIApp
 
@@ -17,7 +19,7 @@
 logger = logging.getLogger(__name__)
 
 
-@dataclass(frozen=True)
+@dataclass
 class AuthenticationExtensionMiddleware(JsonResponseMiddleware):
     """Middleware to add the authentication extension to the response."""
 
@@ -30,22 +32,48 @@ class AuthenticationExtensionMiddleware(JsonResponseMiddleware):
     private_endpoints: EndpointMethods
     public_endpoints: EndpointMethods
 
-    signing_scheme: str = "signed_url_auth"
-    auth_scheme: str = "oauth"
+    oidc_config_url: Optional[HttpUrl] = None
+    signing_scheme_name: str = "signed_url_auth"
+    auth_scheme_name: str = "oauth"
+    auth_scheme: dict[str, Any] = field(default_factory=dict)
+    extension_url: str = (
+        "https://stac-extensions.github.io/authentication/v1.1.0/schema.json"
+    )
+
+    def __post_init__(self):
+        """Load after initialization."""
+        if self.oidc_config_url and not self.auth_scheme:
+            # Retrieve OIDC configuration and extract authorization and token URLs
+            oidc_config = httpx.get(str(self.oidc_config_url)).json()
+            self.auth_scheme = {
+                "type": "oauth2",
+                "description": "requires an authentication token",
+                "flows": {
+                    "authorizationCode": {
+                        "authorizationUrl": oidc_config.get("authorization_endpoint"),
+                        "tokenUrl": oidc_config.get("token_endpoint"),
+                        "scopes": {
+                            k: k
+                            for k in sorted(oidc_config.get("scopes_supported", []))
+                        },
+                    },
+                },
+            }
 
     def should_transform_response(self, request: Request) -> bool:
         """Determine if the response should be transformed."""
-        print(f"{request.url=!s}")
-        return True
+        # Match STAC catalog, collection, or item URLs with a single regex
+        return bool(
+            re.match(
+                r"^(/|/collections(/[^/]+(/items/[^/]+)?)?|/search)$", request.url.path
+            )
+        )
 
     def transform_json(self, doc: dict[str, Any]) -> dict[str, Any]:
         """Augment the STAC Item with auth information."""
-        extension = (
-            "https://stac-extensions.github.io/authentication/v1.1.0/schema.json"
-        )
         extensions = doc.setdefault("stac_extensions", [])
-        if extension not in extensions:
-            extensions.append(extension)
+        if self.extension_url not in extensions:
+            extensions.append(self.extension_url)
 
         # TODO: Should we add this to items even if the assets don't match the asset expression?
         # auth:schemes
@@ -55,64 +83,41 @@ def transform_json(self, doc: dict[str, Any]) -> dict[str, Any]:
         # - Catalogs
         # - Collections
         # - Item Properties
-        # "auth:schemes": {
-        #   "oauth": {
-        #     "type": "oauth2",
-        #     "description": "requires a login and user token",
-        #     "flows": {
-        #       "authorizationUrl": "https://example.com/oauth/authorize",
-        #       "tokenUrl": "https://example.com/oauth/token",
-        #       "scopes": {}
-        #     }
-        #   }
-        # }
-        # TODO: Add directly to Collections & Catalogs doc
-        if "properties" in doc:
-            schemes = doc["properties"].setdefault("auth:schemes", {})
-            schemes[self.auth_scheme] = {
-                "type": "oauth2",
-                "description": "requires a login and user token",
+        scheme_loc = doc["properties"] if "properties" in doc else doc
+        schemes = scheme_loc.setdefault("auth:schemes", {})
+        schemes[self.auth_scheme_name] = self.auth_scheme
+        if self.signing_endpoint:
+            schemes[self.signing_scheme_name] = {
+                "type": "signedUrl",
+                "description": "Requires an authentication API",
                 "flows": {
-                    # TODO: Get authorizationUrl and tokenUrl from config
                     "authorizationCode": {
-                        "authorizationUrl": "https://example.com/oauth/authorize",
-                        "tokenUrl": "https://example.com/oauth/token",
-                        "scopes": {},
-                    },
-                },
-            }
-            if self.signing_endpoint:
-                schemes[self.signing_scheme] = {
-                    "type": "signedUrl",
-                    "description": "Requires an authentication API",
-                    "flows": {
-                        "authorizationCode": {
-                            "authorizationApi": self.signing_endpoint,
-                            "method": "POST",
-                            "parameters": {
-                                "bucket": {
-                                    "in": "body",
-                                    "required": True,
-                                    "description": "asset bucket",
-                                    "schema": {
-                                        "type": "string",
-                                        "examples": "example-bucket",
-                                    },
+                        "authorizationApi": self.signing_endpoint,
+                        "method": "POST",
+                        "parameters": {
+                            "bucket": {
+                                "in": "body",
+                                "required": True,
+                                "description": "asset bucket",
+                                "schema": {
+                                    "type": "string",
+                                    "examples": "example-bucket",
                                 },
-                                "key": {
-                                    "in": "body",
-                                    "required": True,
-                                    "description": "asset key",
-                                    "schema": {
-                                        "type": "string",
-                                        "examples": "path/to/example/asset.xyz",
-                                    },
+                            },
+                            "key": {
+                                "in": "body",
+                                "required": True,
+                                "description": "asset key",
+                                "schema": {
+                                    "type": "string",
+                                    "examples": "path/to/example/asset.xyz",
                                 },
                             },
-                            "responseField": "signed_url",
-                        }
-                    },
-                }
+                        },
+                        "responseField": "signed_url",
+                    }
+                },
+            }
 
         # auth:refs
         # ---
@@ -123,7 +128,7 @@ def transform_json(self, doc: dict[str, Any]) -> dict[str, Any]:
                     logger.warning("Asset %s has no href", asset)
                     continue
                 if re.match(self.signed_asset_expression, asset["href"]):
-                    asset.setdefault("auth:refs", []).append(self.signing_scheme)
+                    asset.setdefault("auth:refs", []).append(self.signing_scheme_name)
 
         # Annotate links with "auth:refs": [auth_scheme]
         links = chain(
@@ -136,7 +141,6 @@ def transform_json(self, doc: dict[str, Any]) -> dict[str, Any]:
             ),
         )
         for link in links:
-            print(f"{link['href']=!s}")
             if "href" not in link:
                 logger.warning("Link %s has no href", link)
                 continue
@@ -148,6 +152,6 @@ def transform_json(self, doc: dict[str, Any]) -> dict[str, Any]:
                 default_public=self.default_public,
             )
             if match.is_private:
-                link.setdefault("auth:refs", []).append(self.auth_scheme)
+                link.setdefault("auth:refs", []).append(self.auth_scheme_name)
 
         return doc

src/stac_auth_proxy/utils/middleware.py

@@ -2,15 +2,17 @@
 
 import gzip
 import json
+import re
 import zlib
 from abc import ABC, abstractmethod
 from typing import Any, Optional
 
 import brotli
-from starlette.datastructures import MutableHeaders
+from starlette.datastructures import Headers, MutableHeaders
 from starlette.requests import Request
 from starlette.types import ASGIApp, Message, Receive, Scope, Send
 
+# TODO: Consider using a single middleware to handle all compression/decompression
 ENCODING_HANDLERS = {
     "gzip": gzip,
     "deflate": zlib,
@@ -22,6 +24,9 @@ class JsonResponseMiddleware(ABC):
     """Base class for middleware that transforms JSON response bodies."""
 
     app: ASGIApp
+    json_content_type_expr: str = (
+        r"application/vnd\.oai\.openapi\+json;.*|application/json|application/geo\+json"
+    )
 
     @abstractmethod
     def should_transform_response(self, request: Request) -> bool:
@@ -35,7 +40,7 @@ def should_transform_response(self, request: Request) -> bool:
         -------
             bool: True if the response should be transformed
         """
-        pass
+        return request.headers.get("accept") == "application/json"
 
     @abstractmethod
     def transform_json(self, data: Any) -> Any:
@@ -62,16 +67,23 @@ async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
 
         start_message: Optional[Message] = None
         body = b""
+        not_json = False
 
         async def process_message(message: Message) -> None:
             nonlocal start_message
             nonlocal body
-
+            nonlocal not_json
             if message["type"] == "http.response.start":
                 # Delay sending start message until we've processed the body
+                if not re.match(
+                    self.json_content_type_expr,
+                    Headers(scope=message).get("content-type", ""),
+                ):
+                    not_json = True
+                    return await send(message)
                 start_message = message
                 return
-            elif message["type"] != "http.response.body":
+            elif message["type"] != "http.response.body" or not_json:
                 return await send(message)
 
             body += message["body"]
@@ -94,9 +106,10 @@ async def process_message(message: Message) -> None:
                 )
 
             # Transform the JSON body
-            data = json.loads(body)
-            transformed = self.transform_json(data)
-            body = json.dumps(transformed).encode()
+            if body:
+                data = json.loads(body)
+                transformed = self.transform_json(data)
+                body = json.dumps(transformed).encode()
 
             # Re-compress if necessary
             if handler: