Rely on stac-auth-proxy helm options.

Author: pantierra

CHANGELOG.md

@@ -12,7 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added support for annotations on the PgSTAC bootstrap job via `pgstacBootstrap.jobAnnotations` in values.yaml [#381](https://github.com/developmentseed/eoapi-k8s/pull/381)
 - Added load testing scripts [#373](https://github.com/developmentseed/eoapi-k8s/pull/373)
 - Added auth support to STAC Browser [#376](https://github.com/developmentseed/eoapi-k8s/pull/376)
-- Added support for custom filters configuration via `customFiltersFile` in values.yaml [#388](https://github.com/developmentseed/eoapi-k8s/pull/388)
+- Added support for stac-auth-proxy's helm chart authorization configuration [#388](https://github.com/developmentseed/eoapi-k8s/pull/388)
 
 ### Fixed
 

charts/eoapi/data/stac-auth-proxy/custom_filters.py

@@ -1,6 +1,18 @@
 """
 Sample custom filters for STAC Auth Proxy.
 This file demonstrates the structure needed for custom collection and item filters.
+
+Enable via:
+  authorization:
+    record:
+      mode: "custom"
+      custom:
+        filtersFile: "data/stac-auth-proxy/custom_filters.py"
+
+The chart automatically:
+- Creates ConfigMap and mounts this file
+- Sets COLLECTIONS_FILTER_CLS=stac_auth_proxy.custom_filters:CollectionsFilter
+- Sets ITEMS_FILTER_CLS=stac_auth_proxy.custom_filters:ItemsFilter
 """
 
 import dataclasses
@@ -11,17 +23,32 @@
 class CollectionsFilter:
     """Filter collections based on user permissions."""
 
-    async def __call__(self, context: dict[str, Any]) -> str:
-        """Return True if user can access this collection."""
-        # Example: Allow all collections for authenticated users
+    async def __call__(self, context: dict[str, Any]) -> str | dict[str, Any]:
+        """
+        Return format:
+        - CQL2-text string (simpler): "1=1" or "private = false"
+        - CQL2-JSON dict (complex): {"op": "=", "args": [{"property": "owner"}, "user123"]}
+
+        Examples:
+        - Allow all: return "1=1"
+        - Restrict by user: return f"owner = '{context['token']['sub']}'"
+        - Public only: return "private = false" if not context["token"] else "1=1"
+        - Complex (dict): return {"op": "in", "args": [{"property": "id"}, ["col1", "col2"]]}
+        """
         return "1=1"
 
 
 @dataclasses.dataclass
 class ItemsFilter:
     """Filter items based on user permissions."""
+    """Returns CQL2 filter for /search and /collections/{id}/items endpoints."""
 
-    async def __call__(self, context: dict[str, Any]) -> str:
-        """Return True if user can access this item."""
-        # Example: Allow all items for authenticated users
+    async def __call__(self, context: dict[str, Any]) -> str | dict[str, Any]:
+        """
+        Examples:
+        - Allow all: return "1=1"
+        - Collection-based: return f"collection = '{context['collection_id']}'"
+        - User-based: return f"properties.owner = '{context['token']['sub']}'"
+        - Complex (dict): return {"op": "in", "args": [{"property": "collection"}, approved_list]}
+        """
         return "1=1"

charts/eoapi/templates/core/stac-auth-proxy-filters-configmap.yaml

@@ -423,39 +423,39 @@ stac-auth-proxy:
     port: 8080
   resources: {}
   env:
+    # OIDC_DISCOVERY_URL must be configured when enabling auth (required)
     ROOT_PATH: "/stac"
     OVERRIDE_HOST: "false"
+
     # UPSTREAM_URL will be set dynamically in template to point to stac service
-    # OIDC_DISCOVERY_URL must be configured when enabling auth
-    # OIDC_DISCOVERY_URL must be configured when enabling auth
-    # UPSTREAM_URL will be set dynamically in template to point to stac service
-    #
-    # Authentication filters settings:
-    DEFAULT_PUBLIC: "true" # This enables standard profile for authentication filters
-    # Alternatively with the following settings custom filters can be added
-    # These must be mounted with extraVolumes/extraVolumeMounts (see below)
-    # COLLECTIONS_FILTER_CLS: stac_auth_proxy.custom_filters:CollectionsFilter
-    # ITEMS_FILTER_CLS: stac_auth_proxy.custom_filters:ItemsFilter
-
-  # Path to custom filters file (relative to chart root)
-  # When extraVolumes is configured, a ConfigMap will be created from this file
-  # customFiltersFile: "data/stac-auth-proxy/custom_filters.py"
-
-  # Additional volumes to mount (e.g., for custom filter files)
-  extraVolumes: []
-  # Example:
-  # extraVolumes:
-  #   - name: filters
-  #     configMap:
-  #       name: stac-auth-proxy-filters
-  # Additional volume mounts for the container
-  extraVolumeMounts: []
-  # Example:
-  # extraVolumeMounts:
-  #   - name: filters
-  #     mountPath: /app/src/stac_auth_proxy/custom_filters.py
-  #     subPath: custom_filters.py
-  #     readOnly: true
+
+  # Authorization configuration
+  # Uses stac-auth-proxy's native authorization settings
+  authorization:
+    # Route-level authorization controls API endpoint access
+    route:
+      mode: "default"  # "default" (public reads, protected writes), "custom", or "disabled"
+      # For custom mode, define publicEndpoints and privateEndpoints
+      # publicEndpoints: {}
+      # privateEndpoints: {}
+
+    # Record-level authorization filters collections/items visibility
+    record:
+      mode: "disabled"  # "disabled" (default), "custom", or "opa"
+      # For custom Python filters, specify the file path
+      # custom:
+      #   filtersFile: "data/stac-auth-proxy/custom_filters.py"
+      # For OPA-based filtering
+      # opa:
+      #   url: "http://opa-service:8181"
+      #   policy: "stac/items/allow"
+
+  # For special cases, direct env variable configuration is possible
+  # and takes precedence over authorization settings.
+  # env:
+  #   DEFAULT_PUBLIC: "true"
+  #   COLLECTIONS_FILTER_CLS: "stac_auth_proxy.custom_filters:CollectionsFilter"
+  #   ITEMS_FILTER_CLS: "stac_auth_proxy.custom_filters:ItemsFilter"
 
 vector:
   enabled: true