IFRCGo
diff --git a/‎applications/argocd/production/applications/montandon-eoapi/application.yaml‎
Lines changed: 77 additions & 71 deletions b/‎applications/argocd/production/applications/montandon-eoapi/application.yaml‎
Lines changed: 77 additions & 71 deletions
diff --git a/‎applications/argocd/production/applications/montandon-eoapi/internal/Chart.yaml‎
Lines changed: 7 additions & 0 deletions b/‎applications/argocd/production/applications/montandon-eoapi/internal/Chart.yaml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎applications/argocd/production/applications/montandon-eoapi/internal/files/stac-auth-proxy/montandon_filters.py‎
Lines changed: 192 additions & 0 deletions b/‎applications/argocd/production/applications/montandon-eoapi/internal/files/stac-auth-proxy/montandon_filters.py‎
Lines changed: 192 additions & 0 deletions
@@ -8,25 +8,48 @@ metadata:
 spec:
   project: default
   sources:
+
   - repoURL: https://devseed.com/eoapi-k8s/
     chart: eoapi
-    targetRevision: 0.10.0
+    targetRevision: 0.11.2
     helm:
+      valueFiles:
+        - values/argocd.yaml
       valuesObject:
-        ingress:
+        postgrescluster:
+          # Using azure databae
+          enabled: false
+        vector:
           enabled: false
-          # host: "montandon-eoapi.ifrc.org"
-          # tls:
-          #   enabled: true
-          #   secretName: montandon-eoapi-helm-secret-cert
-          # annotations:
-          #   # increase the max body size to 100MB
-          #   nginx.ingress.kubernetes.io/proxy-body-size: "100m"
-          #   nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
-          #   nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
-          #   nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
         raster:
           enabled: false
+        ingress:
+          # Using stac-auth-proxy
+          enabled: false
+
+        serviceAccount:
+          create: true
+          automount: true
+          annotations:
+            azure.workload.identity/client-id : "8bf208ec-d73c-42d1-a4a9-817d2936a883"
+          labels:
+            azure.workload.identity/use: "true"
+
+        postgresql:
+          type: "external-secret"
+          external:
+            existingSecret:
+              # Defined here: internal/montandon-eoapi-spc.yaml
+              name: pgstac-secrets-montandon-eoapi
+              keys:
+                username: "DB_USER"
+                password: "DB_PASSWORD"
+                # Optional: if these are provided in the secret
+                # Note: These values override external.host, external.port and external.database if defined
+                host: "DB_HOST"
+                database: "DB_NAME"
+                port: "DB_PORT"
+
         stac:
           image:
             tag: 6.1.2
@@ -59,86 +82,60 @@ spec:
                 mountPath: /mnt/secrets-store
                 readOnly: true
             extraVolumes:
+              # Not required for eoAPI, but secrets-store.csi.k8s.io needs at least one pod to mount SecretProviderClass to sync Azure Key Vault with the Kubernetes secret pgstac-secrets-montandon-eoapi
               - name: azure-keyvault-secrets
                 csi:
                   driver: secrets-store.csi.k8s.io
                   readOnly: true
                   volumeAttributes:
                     secretProviderClass: azure-secret-provider-montandon-eoapi
-        vector:
-          enabled: false
 
-        serviceAccount:
-          create: true
-          automount: true
-          annotations:
-            azure.workload.identity/client-id : "8bf208ec-d73c-42d1-a4a9-817d2936a883"
-          labels:
-            azure.workload.identity/use: "true"
-
-        # pgstacBootstrap:
-        #   enabled: true
-        #   settings:
-        #     annotations:
-        #       argocd.argoproj.io/hook: Sync
-        #     # labels:
-        #     #   azure.workload.identity/use: "true"
-        #     # extraVolumes:
-        #     #   - name: azure-keyvault-secrets
-        #     #     csi:
-        #     #       driver: secrets-store.csi.k8s.io
-        #     #       readOnly: true
-        #     #       volumeAttributes:
-        #     #         secretProviderClass: azure-secret-provider-montandon-eoapi
-        #     queryables:
-        #       # configMap
-        #       - name: "stac-queryables.json"
-        #         configMapRef:
-        #           name: montandon-eoapi-stac-queryables
-        #           key: stac_queryables.json
-        #         indexFields: ["monty:hazard_codes", "monty:country_codes", "roles"]
-        #         deleteMissing: true
-        postgresql:
-          type: "external-secret"
-          external:
-            existingSecret:
-              name: pgstac-secrets-montandon-eoapi
-              keys:
-                username: "DB_USER"
-                password: "DB_PASSWORD"
-                # Optional: if these are provided in the secret
-                # Note: These values override external.host, external.port and external.database if defined
-                host: "DB_HOST"
-                database: "DB_NAME"
-                port: "DB_PORT"
+        pgstacBootstrap:
+          enabled: true
+          settings:
+            loadSamples: false
+            queryables:
+              - name: "stac_queryables.json"
+                indexFields: ["monty:hazard_codes","monty:country_codes","roles"]
+                deleteMissing: true
+                configMapRef:
+                  name: montandon-eoapi-stac-queryables
+                  key: stac_queryables.json
 
-        postgrescluster:
-          enabled: false
-          # instances:
-          # - name: eoapi
-          #   replicas: 1
-          #   dataVolumeClaimSpec:
-          #     accessModes:
-          #     - "ReadWriteOnce"
-          #     resources:
-          #       requests:
-          #         storage: "600Gi"
-          #         cpu: "1024m"
-          #         memory: "3048Mi"
   - path: applications/argocd/production/applications/montandon-eoapi/internal/
     targetRevision: develop
     repoURL: https://github.com/IFRCGo/go-deploy.git
+    helm:
+      valuesObject:
+        azure:
+          clientID: 8bf208ec-d73c-42d1-a4a9-817d2936a883
+          secretProviderClass:
+            enabled: true
+            keyvaultName: montandon-eoapi-producti
+
   - repoURL: https://github.com/developmentseed/stac-auth-proxy.git
-    targetRevision: v0.9.2
+    targetRevision: v1.0.3
     path: helm/
     helm:
       valuesObject:
+        # HealthCheck endpoints - https://github.com/developmentseed/stac-auth-proxy/pull/143
+        startupProbe:
+          httpGet:
+            path: /stac/healthz
+        livenessProbe:
+          httpGet:
+            path: /stac/healthz
+        readinessProbe:
+          httpGet:
+            path: /stac/healthz
         env:
           UPSTREAM_URL: "http://montandon-eoapi-stac:8080"
           # UPSTREAM_URL: "https://montandon-eoapi.ifrc.org/stac"
           OIDC_DISCOVERY_URL: "https://goadmin.ifrc.org/o/.well-known/openid-configuration"
           OVERRIDE_HOST: "0"
           ROOT_PATH: "/stac"
+          COLLECTIONS_FILTER_CLS: stac_auth_proxy.montandon_filters:CollectionsFilter
+          ITEMS_FILTER_CLS: stac_auth_proxy.montandon_filters:ItemsFilter
         ingress:
           enabled: "true"
           host: "montandon-eoapi.ifrc.org"
@@ -147,6 +144,15 @@ spec:
             enabled: "true"
             secretName: "montandon-eoapi-helm-secret-cert"
         replicaCount: 1
+        extraVolumes:
+          - name: filters
+            configMap:
+              name: stac-auth-proxy-filters
+        extraVolumeMounts:
+          - name: filters
+            mountPath: /app/src/stac_auth_proxy/montandon_filters.py
+            subPath: montandon_filters.py
+            readOnly: true
   destination:
     server: https://kubernetes.default.svc
     namespace: montandon-eoapi
 
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: montandon-eoapi-extra-manifests
+description: Montandon eoAPI extra manifests
+type: application
+
+version: 0.1.0
+appVersion: "1.0"
@@ -0,0 +1,192 @@
+"""
+CQL2 filter factories.
+
+These classes will be initialized at the startup of the STAC Auth Proxy service and will
+be called for each request to collections/items endpoints in order to generate CQL2
+filters based on the JWT permissions.
+
+docs: https://developmentseed.org/stac-auth-proxy/user-guide/record-level-auth/
+"""
+
+import asyncio
+import dataclasses
+import os
+import time
+import logging
+from typing import Any, Literal, Optional, Sequence
+
+import httpx
+
+logger = logging.getLogger(__name__)
+
+if not (UPSTREAM_URL := os.environ.get("UPSTREAM_URL")):
+    raise ValueError("Failed to retrieve upstream URL")
+
+
+def cql2_in_query(
+    variable: Literal["collection", "id"], collection_ids: Sequence[str]
+) -> str:
+    """
+    Generate CQL2 query to see if value of variable matches any element of sequence of
+    strings. Due to CQL2 syntax ambiguities around single element arrays with the "in"
+    operator, we use a direct comparison when there's only one permitted collection.
+    """
+    if not collection_ids:
+        return "1=0"
+
+    if len(collection_ids) == 1:
+        return f"{variable} = " + repr(list(collection_ids)[0])
+
+    return f"{variable} IN ({','.join(repr(c_id) for c_id in collection_ids)})"
+
+
+@dataclasses.dataclass
+class CollectionsFilter:
+    """
+    CQL2 filter factory for collections based on JWT permissions.
+    """
+
+    collections_claim: str = "collections"  # JWT claim with allowed collection IDs
+    admin_claim: str = "superuser"  # JWT claim indicating superuser status
+    public_collections_filter: str = "(private IS NULL OR private = false)"
+
+    async def __call__(self, context: dict[str, Any]) -> str:
+        jwt_payload: Optional[dict[str, Any]] = context.get("payload")
+
+        # Anonymous: no data
+        if not jwt_payload:
+            logger.debug("Anonymous user, no collections permitted to be viewed")
+            return "1=0"
+
+        # Superuser: all data
+        if jwt_payload.get(self.admin_claim) == "true":
+            logger.debug(
+                f"Superuser detected for sub {jwt_payload.get('sub')}, "
+                "no filter applied for collections"
+            )
+            return "1=1"  # No filter for superusers
+
+        # Authenticated user: Allowed to access collections mentioned in JWT
+        permitted_collections = jwt_payload.get(self.collections_claim, [])
+        return " OR ".join(
+            [
+                self.public_collections_filter,
+                cql2_in_query("id", permitted_collections),
+            ]
+        )
+
+
+@dataclasses.dataclass
+class ItemsFilter:
+    """
+    CQL2 filter factory for items based on JWT permissions.
+    """
+
+    collections_claim: str = "collections"  # JWT claim with allowed collection IDs
+    admin_claim: str = "superuser"  # JWT claim indicating superuser status
+    public_collections_filter: str = "(private IS NULL OR private = false)"
+
+    cache_ttl: int = 30  # TTL for caching public collections, in seconds
+    _client: httpx.AsyncClient = dataclasses.field(
+        init=False,
+        repr=False,
+        default_factory=lambda: httpx.AsyncClient(base_url=UPSTREAM_URL),
+    )
+    _public_collections_cache: Optional[list[str]] = dataclasses.field(
+        init=False, default=None, repr=False
+    )
+    _cache_expiry: float = dataclasses.field(init=False, default=0, repr=False)
+    _cache_lock: asyncio.Lock = dataclasses.field(
+        init=False, repr=False, default_factory=asyncio.Lock
+    )
+
+    @property
+    def _cached_public_collections(self) -> Optional[list[str]]:
+        """Return cached public collections if still valid, otherwise None."""
+        if time.time() < self._cache_expiry:
+            return self._public_collections_cache
+        return None
+
+    @_cached_public_collections.setter
+    def _cached_public_collections(self, value: list[str]) -> None:
+        """Set the cache with a new value and expiry time."""
+        self._public_collections_cache = value
+        self._cache_expiry = time.time() + self.cache_ttl
+
+    async def _get_public_collections_ids(self) -> list[str]:
+        """
+        Retrieve IDs of public collections from the upstream API.
+        Uses a lock to prevent concurrent requests from fetching the same data.
+        """
+        # Return cached value if still valid (fast path without lock)
+        if (cached := self._cached_public_collections) is not None:
+            logger.debug("Using cached public collections")
+            return cached
+
+        # Acquire lock to prevent concurrent fetches
+        async with self._cache_lock:
+            # Double-check cache after acquiring lock
+            # Another coroutine might have populated it while we waited
+            if (cached := self._cached_public_collections) is not None:
+                logger.debug("Using cached public collections (after lock)")
+                return cached
+
+            logger.debug("Fetching public collections from upstream API")
+
+            # First request uses params dict
+            url: Optional[str] = "/collections"
+            params: Optional[dict[str, Any]] = {
+                "filter": self.public_collections_filter,
+                "limit": 100,
+            }
+
+            ids = []
+            while url:
+                try:
+                    response = await self._client.get(url, params=params)
+                    response.raise_for_status()
+                    data = response.json()
+                except httpx.HTTPError:
+                    logger.exception(f"Failed to fetch {url!r}.")
+                    raise
+                ids.extend(collection["id"] for collection in data["collections"])
+
+                # Subsequent requests use the "next" link URL directly (already has params)
+                url = next(
+                    (link["href"] for link in data["links"] if link["rel"] == "next"),
+                    None,
+                )
+                params = None  # Clear params after first request
+
+            # Update cache
+            self._cached_public_collections = ids
+            return ids
+
+    async def __call__(self, context: dict[str, Any]) -> str:
+        jwt_payload: Optional[dict[str, Any]] = context.get("payload")
+
+        # Anonymous: no data
+        if not jwt_payload:
+            logger.debug("Anonymous user, no items permitted to be viewed")
+            return "1=0"
+
+        # Superuser: all data
+        if jwt_payload.get(self.admin_claim) == "true":
+            logger.debug(
+                f"Superuser detected for sub {jwt_payload.get('sub')}, "
+                "no filter applied for items"
+            )
+            return "1=1"
+
+        # Everyone: Allowed access to items in public collections
+        try:
+            permitted_collections = set(await self._get_public_collections_ids())
+        except httpx.HTTPError:
+            logger.warning("Failed to fetch public collections.")
+            permitted_collections = set()
+
+        # Authenticated user: Allowed to access items in collections mentioned in JWT
+        if jwt_payload:
+            permitted_collections.update(jwt_payload.get(self.collections_claim, []))
+
+        return cql2_in_query("collection", permitted_collections)