in progress

Author: alukach

README.md

@@ -9,11 +9,12 @@ STAC Auth Proxy is a proxy API that mediates between the client and your interna
 
 ## ✨Features✨
 
-- 🔐 Authentication: Selectively apply [OpenID Connect (OIDC)](https://openid.net/developers/how-connect-works/) auth\*n token validation & optional scope requirements to some or all endpoints & methods
-- 🛂 Content Filtering: Apply CQL2 filters to client requests, utilizing the [Filter Extension](https://github.com/stac-api-extensions/filter?tab=readme-ov-file) to filter API content based on user context
-- 🧩 Authentication Extension: Integrate the [Authentication Extension](https://github.com/stac-extensions/authentication) into API responses
-- 📘 OpenAPI Augmentation: Update API's [OpenAPI document](https://swagger.io/specification/) with security requirements, keeping auto-generated docs/UIs accurate (e.g. [Swagger UI](https://swagger.io/tools/swagger-ui/))
-- 🗜️ Response compression: Compress API responses via [`starlette-cramjam`](https://github.com/developmentseed/starlette-cramjam/)
+- **🔐 Authentication:** Apply [OpenID Connect (OIDC)](https://openid.net/developers/how-connect-works/) token validation and optional scope checks to specified endpoints and methods
+- **🛂 Content Filtering:** Use CQL2 filters via the [Filter Extension](https://github.com/stac-api-extensions/filter?tab=readme-ov-file) to tailor API responses based on user context
+- **🤝 External Policy Integration:** Integrate with externalsystems (e.g. [Open Policy Agent (OPA)](https://www.openpolicyagent.org/)) to generate CQL2 filters dynamically from policy decisions
+- **🧩 Authentication Extension:** Add the [Authentication Extension](https://github.com/stac-extensions/authentication) to API responses to expose auth-related metadata
+- **📘 OpenAPI Augmentation:** Enhance the [OpenAPI spec](https://swagger.io/specification/) with security details to keep auto-generated docs and UIs (e.g., [Swagger UI](https://swagger.io/tools/swagger-ui/)) accurate
+- **🗜️ Response Compression:** Optimize response sizes using [`starlette-cramjam`](https://github.com/developmentseed/starlette-cramjam/)
 
 ## Usage
 

examples/opa/.python-version renamed to examples/custom-integration/.python-version

@@ -0,0 +1,27 @@
+# Open Policy Agent (OPA) Integration
+
+This example demonstrates how to integrate with an Open Policy Agent (OPA) to authorize requests to a STAC API.
+
+## Running the Example
+
+From the root directory, run:
+
+```sh
+docker compose -f docker-compose.yaml -f examples/opa/docker-compose.yaml up
+```
+
+## Testing OPA
+
+```sh
+▶ curl -X POST "http://localhost:8181/v1/data/stac/cql2" \
+  -H "Content-Type: application/json" \
+  -d '{"input":{"payload": null}}'
+{"result":"private = true"}
+```
+
+```sh
+▶ curl -X POST "http://localhost:8181/v1/data/stac/cql2" \
+  -H "Content-Type: application/json" \
+  -d '{"input":{"payload": {"sub": "user1"}}}'
+{"result":"1=1"}
+```

examples/opa/Dockerfile renamed to examples/custom-integration/Dockerfile

@@ -0,0 +1,30 @@
+services:
+  proxy:
+    depends_on:
+      - stac
+      - opa
+    build:
+      context: examples/opa
+    # environment:
+    #   UPSTREAM_URL: ${UPSTREAM_URL:-http://stac:8001}
+    #   OIDC_DISCOVERY_URL: ${OIDC_DISCOVERY_URL:-http://localhost:8888/.well-known/openid-configuration}
+    #   OIDC_DISCOVERY_INTERNAL_URL: ${OIDC_DISCOVERY_INTERNAL_URL:-http://oidc:8888/.well-known/openid-configuration}
+    #   ITEMS_FILTER_CLS: opa_integration:OpaIntegration
+    #   ITEMS_FILTER_ARGS: '["http://opa:8181", "stac/cql2"]'
+    env_file:
+      - path: .env
+        required: false
+    ports:
+      - "8000:8000"
+    volumes:
+      - ./src:/app/src
+
+  opa:
+    image: openpolicyagent/opa:latest
+    command: "run --server --addr=:8181 --watch /policies"
+    ports:
+      - "8181:8181"
+    volumes:
+      - ./examples/opa/policies:/policies
+    depends_on:
+      - stac

examples/custom-integration/README.md

@@ -0,0 +1,7 @@
+package stac
+
+default cql2 := "private = true"
+
+cql2 := "1=1" if {
+	input.payload.sub != null
+}

examples/custom-integration/docker-compose.yaml

@@ -1,5 +1,5 @@
 [project]
-name = "opa_integration"
+name = "custom_integration"
 version = "0.1.0"
 description = "Add your description here"
 readme = "README.md"

examples/custom-integration/policies/stac/policy.rego

@@ -1,23 +1,8 @@
 services:
   proxy:
-    depends_on:
-      - stac
-      - opa
-    build:
-      context: examples/opa
     environment:
-      UPSTREAM_URL: ${UPSTREAM_URL:-http://stac:8001}
-      OIDC_DISCOVERY_URL: ${OIDC_DISCOVERY_URL:-http://localhost:8888/.well-known/openid-configuration}
-      OIDC_DISCOVERY_INTERNAL_URL: ${OIDC_DISCOVERY_INTERNAL_URL:-http://oidc:8888/.well-known/openid-configuration}
-      ITEMS_FILTER_CLS: opa_integration:OpaIntegration
+      ITEMS_FILTER_CLS: stac_auth_proxy.filters:Opa
       ITEMS_FILTER_ARGS: '["http://opa:8181", "stac/cql2"]'
-    env_file:
-      - path: .env
-        required: false
-    ports:
-      - "8000:8000"
-    volumes:
-      - ./src:/app/src
 
   opa:
     image: openpolicyagent/opa:latest
@@ -26,5 +11,3 @@ services:
       - "8181:8181"
     volumes:
       - ./examples/opa/policies:/policies
-    depends_on:
-      - stac

examples/opa/pyproject.toml renamed to examples/custom-integration/pyproject.toml

@@ -1,6 +1,6 @@
 package stac
 
-default cql2 := "private = true"
+default cql2 := "\"naip:year\" = 2021"
 
 cql2 := "1=1" if {
 	input.payload.sub != null