Merge pull request #163 from IFRCGo/feat/cql2-filtering

Author: thenav56

.pre-commit-config.yaml

@@ -5,6 +5,7 @@ repos:
       - id: trailing-whitespace
       - id: end-of-file-fixer
       - id: check-yaml
+        exclude: ^applications/.*/internal/
       - id: check-case-conflict
       - id: detect-private-key
 

applications/argocd/staging/applications/montandon-eoapi/application.yaml

@@ -105,6 +105,13 @@ spec:
   - path: applications/argocd/staging/applications/montandon-eoapi/internal/
     targetRevision: develop
     repoURL: https://github.com/IFRCGo/go-deploy.git
+    helm:
+      valuesObject:
+        azure:
+          clientID: 9b1f12a8-4ae9-4281-afa9-948451f77dce
+          secretProviderClass:
+            enabled: true
+            keyvaultName: montandon-eoapi-staging
 
   - repoURL: https://github.com/developmentseed/stac-auth-proxy.git
     targetRevision: v0.9.2
@@ -117,6 +124,8 @@ spec:
           OIDC_DISCOVERY_URL: "https://goadmin-stage.ifrc.org/o/.well-known/openid-configuration"
           OVERRIDE_HOST: "0"
           ROOT_PATH: "/stac"
+          COLLECTIONS_FILTER_CLS: stac_auth_proxy.montandon_filters:CollectionsFilter
+          ITEMS_FILTER_CLS: stac_auth_proxy.montandon_filters:ItemsFilter
         ingress:
           enabled: "true"
           host: "montandon-eoapi-stage.ifrc.org"
@@ -125,7 +134,15 @@ spec:
             enabled: "true"
             secretName: "montandon-eoapi-helm-secret-cert"
         replicaCount: 1
-
+        extraVolumes:
+          - name: filters
+            configMap:
+              name: stac-auth-proxy-filters
+        extraVolumeMounts:
+          - name: filters
+            mountPath: /app/src/stac_auth_proxy/montandon_filters.py
+            subPath: montandon_filters.py
+            readOnly: true
   destination:
     server: https://kubernetes.default.svc
     namespace: montandon-eoapi

applications/argocd/staging/applications/montandon-eoapi/internal/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: montandon-eoapi-extra-manifests
+description: Montandon eoAPI extra manifests
+type: application
+
+version: 0.1.0
+appVersion: "1.0"

applications/argocd/staging/applications/montandon-eoapi/internal/files/stac-auth-proxy/montandon_filters.py

@@ -0,0 +1,192 @@
+"""
+CQL2 filter factories.
+
+These classes will be initialized at the startup of the STAC Auth Proxy service and will
+be called for each request to collections/items endpoints in order to generate CQL2
+filters based on the JWT permissions.
+
+docs: https://developmentseed.org/stac-auth-proxy/user-guide/record-level-auth/
+"""
+
+import asyncio
+import dataclasses
+import os
+import time
+import logging
+from typing import Any, Literal, Optional, Sequence
+
+import httpx
+
+logger = logging.getLogger(__name__)
+
+if not (UPSTREAM_URL := os.environ.get("UPSTREAM_URL")):
+    raise ValueError("Failed to retrieve upstream URL")
+
+
+def cql2_in_query(
+    variable: Literal["collection", "id"], collection_ids: Sequence[str]
+) -> str:
+    """
+    Generate CQL2 query to see if value of variable matches any element of sequence of
+    strings. Due to CQL2 syntax ambiguities around single element arrays with the "in"
+    operator, we use a direct comparison when there's only one permitted collection.
+    """
+    if not collection_ids:
+        return "1=0"
+
+    if len(collection_ids) == 1:
+        return f"{variable} = " + repr(list(collection_ids)[0])
+
+    return f"{variable} IN ({','.join(repr(c_id) for c_id in collection_ids)})"
+
+
+@dataclasses.dataclass
+class CollectionsFilter:
+    """
+    CQL2 filter factory for collections based on JWT permissions.
+    """
+
+    collections_claim: str = "collections"  # JWT claim with allowed collection IDs
+    admin_claim: str = "superuser"  # JWT claim indicating superuser status
+    public_collections_filter: str = "(private IS NULL OR private = false)"
+
+    async def __call__(self, context: dict[str, Any]) -> str:
+        jwt_payload: Optional[dict[str, Any]] = context.get("payload")
+
+        # Anonymous: no data
+        if not jwt_payload:
+            logger.debug("Anonymous user, no collections permitted to be viewed")
+            return "1=0"
+
+        # Superuser: all data
+        if jwt_payload.get(self.admin_claim) == "true":
+            logger.debug(
+                f"Superuser detected for sub {jwt_payload.get('sub')}, "
+                "no filter applied for collections"
+            )
+            return "1=1"  # No filter for superusers
+
+        # Authenticated user: Allowed to access collections mentioned in JWT
+        permitted_collections = jwt_payload.get(self.collections_claim, [])
+        return " OR ".join(
+            [
+                self.public_collections_filter,
+                cql2_in_query("id", permitted_collections),
+            ]
+        )
+
+
+@dataclasses.dataclass
+class ItemsFilter:
+    """
+    CQL2 filter factory for items based on JWT permissions.
+    """
+
+    collections_claim: str = "collections"  # JWT claim with allowed collection IDs
+    admin_claim: str = "superuser"  # JWT claim indicating superuser status
+    public_collections_filter: str = "(private IS NULL OR private = false)"
+
+    cache_ttl: int = 30  # TTL for caching public collections, in seconds
+    _client: httpx.AsyncClient = dataclasses.field(
+        init=False,
+        repr=False,
+        default_factory=lambda: httpx.AsyncClient(base_url=UPSTREAM_URL),
+    )
+    _public_collections_cache: Optional[list[str]] = dataclasses.field(
+        init=False, default=None, repr=False
+    )
+    _cache_expiry: float = dataclasses.field(init=False, default=0, repr=False)
+    _cache_lock: asyncio.Lock = dataclasses.field(
+        init=False, repr=False, default_factory=asyncio.Lock
+    )
+
+    @property
+    def _cached_public_collections(self) -> Optional[list[str]]:
+        """Return cached public collections if still valid, otherwise None."""
+        if time.time() < self._cache_expiry:
+            return self._public_collections_cache
+        return None
+
+    @_cached_public_collections.setter
+    def _cached_public_collections(self, value: list[str]) -> None:
+        """Set the cache with a new value and expiry time."""
+        self._public_collections_cache = value
+        self._cache_expiry = time.time() + self.cache_ttl
+
+    async def _get_public_collections_ids(self) -> list[str]:
+        """
+        Retrieve IDs of public collections from the upstream API.
+        Uses a lock to prevent concurrent requests from fetching the same data.
+        """
+        # Return cached value if still valid (fast path without lock)
+        if (cached := self._cached_public_collections) is not None:
+            logger.debug("Using cached public collections")
+            return cached
+
+        # Acquire lock to prevent concurrent fetches
+        async with self._cache_lock:
+            # Double-check cache after acquiring lock
+            # Another coroutine might have populated it while we waited
+            if (cached := self._cached_public_collections) is not None:
+                logger.debug("Using cached public collections (after lock)")
+                return cached
+
+            logger.debug("Fetching public collections from upstream API")
+
+            # First request uses params dict
+            url: Optional[str] = "/collections"
+            params: Optional[dict[str, Any]] = {
+                "filter": self.public_collections_filter,
+                "limit": 100,
+            }
+
+            ids = []
+            while url:
+                try:
+                    response = await self._client.get(url, params=params)
+                    response.raise_for_status()
+                    data = response.json()
+                except httpx.HTTPError:
+                    logger.exception(f"Failed to fetch {url!r}.")
+                    raise
+                ids.extend(collection["id"] for collection in data["collections"])
+
+                # Subsequent requests use the "next" link URL directly (already has params)
+                url = next(
+                    (link["href"] for link in data["links"] if link["rel"] == "next"),
+                    None,
+                )
+                params = None  # Clear params after first request
+
+            # Update cache
+            self._cached_public_collections = ids
+            return ids
+
+    async def __call__(self, context: dict[str, Any]) -> str:
+        jwt_payload: Optional[dict[str, Any]] = context.get("payload")
+
+        # Anonymous: no data
+        if not jwt_payload:
+            logger.debug("Anonymous user, no items permitted to be viewed")
+            return "1=0"
+
+        # Superuser: all data
+        if jwt_payload.get(self.admin_claim) == "true":
+            logger.debug(
+                f"Superuser detected for sub {jwt_payload.get('sub')}, "
+                "no filter applied for items"
+            )
+            return "1=1"
+
+        # Everyone: Allowed access to items in public collections
+        try:
+            permitted_collections = set(await self._get_public_collections_ids())
+        except httpx.HTTPError:
+            logger.warning("Failed to fetch public collections.")
+            permitted_collections = set()
+
+        # Authenticated user: Allowed to access items in collections mentioned in JWT
+        if jwt_payload:
+            permitted_collections.update(jwt_payload.get(self.collections_claim, []))
+
+        return cql2_in_query("collection", permitted_collections)

applications/argocd/staging/applications/montandon-eoapi/internal/files/stac_queryables.json

@@ -0,0 +1,121 @@
+{
+  "$schema": "https://json-schema.org/draft/2019-09/schema",
+  "$id": "https://example.com/stac/queryables",
+  "type": "object",
+  "title": "Queryables for Monty STAC API",
+  "description": "Queryable names for the Monty STAC API",
+  "properties": {
+    "id": {
+      "description": "Item identifier",
+      "type": "string"
+    },
+    "collection": {
+      "description": "Collection identifier",
+      "type": "string"
+    },
+    "datetime": {
+      "description": "Datetime",
+      "type": "string",
+      "format": "date-time"
+    },
+    "geometry": {
+      "description": "Geometry",
+      "type": "object"
+    },
+    "monty:episode_number": {
+      "description": "The episode number of the event (deprecated)",
+      "type": "integer"
+    },
+    "monty:country_codes": {
+      "description": "The country codes of the countries affected by the event, hazard, impact or response",
+      "type": "array",
+      "items": {
+        "type": "string",
+        "pattern": "^([A-Z]{3})|AB9$"
+      }
+    },
+    "monty:corr_id": {
+      "description": "The unique identifier assigned by the Monty system to the reference event",
+      "type": "string"
+    },
+    "monty:hazard_codes": {
+      "description": "The hazard codes of the hazards affecting the event",
+      "type": "array",
+      "items": {
+        "type": "string",
+        "pattern": "^([A-Z]{2}(?:\\d{4}$){0,1})|([a-z]{3}-[a-z]{3}-[a-z]{3}-[a-z]{3})|([A-Z]{2})$"
+      }
+    },
+    "roles": {
+      "description": "The roles of the item",
+      "type": "array",
+      "items": {
+        "type": "string",
+        "enum": ["event", "reference", "source", "hazard", "impact", "response"]
+      }
+    },
+    "monty:hazard_detail.cluster": {
+      "description": "The cluster of the hazard (deprecated)",
+      "type": "string"
+    },
+    "monty:hazard_detail.severity_value": {
+      "description": "The estimated maximum hazard intensity/magnitude/severity value",
+      "type": "number"
+    },
+    "monty:hazard_detail.severity_unit": {
+      "description": "The unit of the severity value",
+      "type": "string"
+    },
+    "monty:hazard_detail.estimate_type": {
+      "description": "The type of the estimate",
+      "type": "string",
+      "enum": ["primary", "secondary", "modelled"]
+    },
+    "monty:impact_detail.category": {
+      "description": "The category of impact",
+      "type": "string",
+      "enum": [
+        "people", "crops", "women", "men", "children_0_4", "children_5_9",
+        "children_10_14", "children_15_19", "adult_20_24", "adult_25_29",
+        "adult_30_34", "adult_35_39", "adult_40_44", "adult_45_49",
+        "adult_50_54", "adult_55_59", "adult_60_64", "elderly",
+        "wheelchair_users", "roads", "railways", "vulnerable_employment",
+        "buildings", "reconstruction_costs", "hospitals", "schools",
+        "local_currency", "global_currency", "local_currency_adj",
+        "global_currency_adj", "usd_uncertain", "cattle", "aid_general",
+        "ifrc_contribution", "ifrc_requested", "alertscore", "households"
+      ]
+    },
+    "monty:impact_detail.type": {
+      "description": "The estimated value type of the impact",
+      "type": "string",
+      "enum": [
+        "unspecified", "unaffected", "damaged", "destroyed", "potentially_damaged",
+        "affected_total", "affected_direct", "affected_indirect", "death",
+        "missing", "injured", "evacuated", "relocated", "assisted",
+        "shelter_emergency", "shelter_temporary", "shelter_longterm", "in_need",
+        "targeted", "disrupted", "cost", "homeless", "displaced_internal",
+        "displaced_external", "displaced_total", "alertscore", "potentially_affected",
+        "highest_risk"
+      ]
+    },
+    "monty:impact_detail.value": {
+      "description": "The estimated impact value",
+      "type": "number"
+    },
+    "monty:impact_detail.unit": {
+      "description": "The units of the impact estimate",
+      "type": "string"
+    },
+    "monty:impact_detail.estimate_type": {
+      "description": "The type of the estimate",
+      "type": "string",
+      "enum": ["primary", "secondary", "modelled"]
+    },
+    "monty:impact_detail.description": {
+      "description": "The description of the impact",
+      "type": "string"
+    }
+  },
+  "additionalProperties": true
+}