refactor: scopes change from tuple to str

alukach · alukach · commit fb5930e5b0e4 · 2025-03-22T22:41:36.000-07:00
diff --git a/README.md b/README.md
@@ -80,7 +80,7 @@ The application is configurable via environment variables.
     - **Required:** No, defaults to `false`
     - **Example:** `false`, `1`, `True`
   - **`PRIVATE_ENDPOINTS`**, endpoints explicitly marked as requiring authentication, used when `DEFAULT_PUBLIC == True`
-    - **Type:** JSON object mapping regex patterns to HTTP methods OR tuples of HTTP methods and an array of strings representing required scopes
+    - **Type:** JSON object mapping regex patterns to HTTP methods OR tuples of an HTTP method and string representing required scopes
     - **Required:** No, defaults to the following:
       ```json
       {
diff --git a/src/stac_auth_proxy/config.py b/src/stac_auth_proxy/config.py
@@ -9,9 +9,7 @@
 
 METHODS = Literal["GET", "POST", "PUT", "DELETE", "PATCH"]
 EndpointMethodsNoScope: TypeAlias = dict[str, Sequence[METHODS]]
-EndpointMethods: TypeAlias = dict[
-    str, Sequence[Union[METHODS, tuple[METHODS, Sequence[str]]]]
-]
+EndpointMethods: TypeAlias = dict[str, Sequence[Union[METHODS, tuple[METHODS, str]]]]
 
 _PREFIX_PATTERN = r"^/.*$"
 
diff --git a/src/stac_auth_proxy/utils/requests.py b/src/stac_auth_proxy/utils/requests.py
@@ -37,7 +37,9 @@ def _check_endpoint_match(
             for endpoint_method in endpoint_methods:
                 required_scopes: Sequence[str] = []
                 if isinstance(endpoint_method, tuple):
-                    endpoint_method, required_scopes = endpoint_method
+                    endpoint_method, _required_scopes = endpoint_method
+                    if _required_scopes:  # Ignore empty scopes, e.g. `["POST", ""]`
+                        required_scopes = _required_scopes.split(" ")
                 if method.casefold() == endpoint_method.casefold():
                     return True, required_scopes
     return False, []
diff --git a/tests/test_authn.py b/tests/test_authn.py
@@ -51,22 +51,48 @@ def test_default_public_false(source_api_server, path, method, token_builder):
 
 
 @pytest.mark.parametrize(
-    "token,permitted",
+    "rules,token,permitted",
     [
-        [{"scope": "collection:create"}, True],
-        [{"scope": ""}, False],
-        [{"scope": "openid"}, False],
-        [{"scope": "openid collection:create"}, True],
+        [
+            [("POST", "collection:create")],
+            {"scope": "collection:create"},
+            True,
+        ],
+        [
+            [("POST", "collection:create")],
+            {"scope": ""},
+            False,
+        ],
+        [
+            [("POST", "collection:create")],
+            {"scope": "openid"},
+            False,
+        ],
+        [
+            [("POST", "collection:create")],
+            {"scope": "openid collection:create"},
+            True,
+        ],
+        [
+            [("POST", "foo collection:create")],
+            {"scope": "openid collection:create foo"},
+            True,
+        ],
+        [
+            [("GET", "collection:read"), ("POST", "collection:create")],
+            {"scope": "openid collection:read"},
+            False,
+        ],
     ],
 )
 def test_default_public_false_with_scopes(
-    source_api_server, token, permitted, token_builder
+    source_api_server, rules, token, permitted, token_builder
 ):
     """Private endpoints permit access with a valid token."""
     test_app = app_factory(
         upstream_url=source_api_server,
         default_public=False,
-        private_endpoints={r"^/collections$": [("POST", ["collection:create"])]},
+        private_endpoints={r"^/collections$": rules},
     )
     valid_auth_token = token_builder(token)
 
@@ -84,31 +110,31 @@ def test_default_public_false_with_scopes(
     [
         pytest.param(
             "",
-            {r"^/*": [("POST", ["collection:create"])]},
+            {r"^/*": [("POST", "collection:create")]},
             "/collections",
             "POST",
             False,
             id="empty scopes + private endpoint",
         ),
         pytest.param(
             "openid profile collection:createbutnotcreate",
-            {r"^/*": [("POST", ["collection:create"])]},
+            {r"^/*": [("POST", "collection:create")]},
             "/collections",
             "POST",
             False,
             id="invalid scopes + private endpoint",
         ),
         pytest.param(
             "openid profile collection:create somethingelse",
-            {r"^/*": [("POST", [])]},
+            {r"^/*": [("POST", "")]},
             "/collections",
             "POST",
             True,
             id="valid scopes + private endpoint without required scopes",
         ),
         pytest.param(
             "openid",
-            {r"^/collections/.*/items$": [("POST", ["collection:create"])]},
+            {r"^/collections/.*/items$": [("POST", "collection:create")]},
             "/collections",
             "GET",
             True,

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ The application is configurable via environment variables.`
`80`	`80`	- Required: No, defaults to `false`
`81`	`81`	- Example: `false`, `1`, `True`
`82`	`82`	- `PRIVATE_ENDPOINTS`, endpoints explicitly marked as requiring authentication, used when `DEFAULT_PUBLIC == True`
`83`		`- - Type: JSON object mapping regex patterns to HTTP methods OR tuples of HTTP methods and an array of strings representing required scopes`
	`83`	`+ - Type: JSON object mapping regex patterns to HTTP methods OR tuples of an HTTP method and string representing required scopes`
`84`	`84`	`- Required: No, defaults to the following:`
`85`	`85`	```json
`86`	`86`	`{`