Added custom filter logic for stac-auth-proxy.

Author: pantierra

CHANGELOG.md

@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added support for annotations on the PgSTAC bootstrap job via `pgstacBootstrap.jobAnnotations` in values.yaml [#381](https://github.com/developmentseed/eoapi-k8s/pull/381)
 - Added load testing scripts [#373](https://github.com/developmentseed/eoapi-k8s/pull/373)
 - Added auth support to STAC Browser [#376](https://github.com/developmentseed/eoapi-k8s/pull/376)
+- Added support for custom filters configuration via `customFiltersFile` in values.yaml [#388](https://github.com/developmentseed/eoapi-k8s/pull/388)
 
 ### Fixed
 

charts/eoapi/data/stac-auth-proxy/custom_filters.py

@@ -0,0 +1,41 @@
+"""
+Sample custom filters for STAC Auth Proxy.
+This file demonstrates the structure needed for custom collection and item filters.
+"""
+
+import dataclasses
+from typing import Any
+
+
+@dataclasses.dataclass
+class CollectionsFilter:
+    """Returns CQL2 filter for /collections endpoint."""
+
+    async def __call__(self, context: dict[str, Any]) -> str | dict[str, Any]:
+        """
+        Return format:
+        - CQL2-text string: "1=1" or "private = false"
+        - CQL2-JSON dict: {"op": "=", "args": [{"property": "owner"}, "user123"]}
+
+        Examples:
+        - Allow all: return "1=1"
+        - User-specific: return f"owner = '{context['token']['sub']}'"
+        - Public only: return "private = false" if not context["token"] else "1=1"
+        - Complex: return {"op": "in", "args": [{"property": "id"}, ["col1", "col2"]]}
+        """
+        return "1=1"
+
+
+@dataclasses.dataclass
+class ItemsFilter:
+    """Returns CQL2 filter for /search and /collections/{id}/items endpoints."""
+
+    async def __call__(self, context: dict[str, Any]) -> str | dict[str, Any]:
+        """
+        Examples:
+        - Allow all: return "1=1"
+        - Collection-based: return f"collection = '{context['collection_id']}'"
+        - User-specific: return f"properties.owner = '{context['token']['sub']}'"
+        - Complex: return {"op": "in", "args": [{"property": "collection"}, approved_list]}
+        """
+        return "1=1"

charts/eoapi/profiles/experimental.yaml

@@ -369,8 +369,25 @@ ingress:
 stac-auth-proxy:
   enabled: true
   # For testing this will be set dynamically; for production, point to your OIDC server
-  # env:
-  #  OIDC_DISCOVERY_URL: "http://eoapi-mock-oidc-server.eoapi.svc.cluster.local:8080/.well-known/openid-configuration"
+  env:
+    # OIDC_DISCOVERY_URL: "http://eoapi-mock-oidc-server.eoapi.svc.cluster.local:8080/.well-known/openid-configuration"
+    # Custom filter classes
+    COLLECTIONS_FILTER_CLS: "stac_auth_proxy.custom_filters:CollectionsFilter"
+    ITEMS_FILTER_CLS: "stac_auth_proxy.custom_filters:ItemsFilter"
+
+  # Custom filters configuration
+  customFiltersFile: "data/stac-auth-proxy/custom_filters.py"
+
+  extraVolumes:
+    - name: filters
+      configMap:
+        name: eoapi-stac-auth-proxy-custom-filters
+
+  extraVolumeMounts:
+    - name: filters
+      mountPath: /app/src/stac_auth_proxy/custom_filters.py
+      subPath: custom_filters.py
+      readOnly: true
 
 ######################
 # MOCK OIDC SERVER

charts/eoapi/templates/core/stac-auth-proxy-filters-configmap.yaml

@@ -0,0 +1,16 @@
+{{- if index .Values "stac-auth-proxy" "enabled" }}
+{{- $stacAuthProxy := index .Values "stac-auth-proxy" }}
+{{- if and (hasKey $stacAuthProxy "extraVolumes") $stacAuthProxy.extraVolumes }}
+{{- $filterFile := $stacAuthProxy.customFiltersFile | default "data/stac-auth-proxy/custom_filters.py" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: eoapi-stac-auth-proxy-custom-filters
+  labels:
+    {{- include "eoapi.labels" . | nindent 4 }}
+    app.kubernetes.io/component: stac-auth-proxy
+data:
+  custom_filters.py: |
+{{ .Files.Get $filterFile | indent 4 }}
+{{- end }}
+{{- end }}

charts/eoapi/tests/stac-auth-proxy-filters_test.yaml

@@ -0,0 +1,77 @@
+suite: test stac-auth-proxy custom filters ConfigMap
+templates:
+  - templates/_helpers/core.tpl
+  - templates/core/stac-auth-proxy-filters-configmap.yaml
+
+tests:
+  - it: should create ConfigMap when stac-auth-proxy is enabled and extraVolumes is defined
+    set:
+      stac-auth-proxy.enabled: true
+      stac-auth-proxy.extraVolumes:
+        - name: filters
+          configMap:
+            name: test-filters
+    template: templates/core/stac-auth-proxy-filters-configmap.yaml
+    asserts:
+      - isKind:
+          of: ConfigMap
+      - equal:
+          path: metadata.name
+          value: eoapi-stac-auth-proxy-custom-filters
+      - isNotEmpty:
+          path: data
+
+  - it: should not create ConfigMap when stac-auth-proxy is disabled
+    set:
+      stac-auth-proxy.enabled: false
+      stac-auth-proxy.extraVolumes:
+        - name: filters
+          configMap:
+            name: test-filters
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should not create ConfigMap when extraVolumes is not defined
+    set:
+      stac-auth-proxy.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should have correct labels
+    set:
+      stac-auth-proxy.enabled: true
+      stac-auth-proxy.extraVolumes:
+        - name: filters
+          configMap:
+            name: test-filters
+    template: templates/core/stac-auth-proxy-filters-configmap.yaml
+    asserts:
+      - equal:
+          path: metadata.labels["app.kubernetes.io/component"]
+          value: stac-auth-proxy
+      - exists:
+          path: metadata.labels["app.kubernetes.io/name"]
+      - exists:
+          path: metadata.labels["app.kubernetes.io/instance"]
+      - exists:
+          path: metadata.labels["helm.sh/chart"]
+
+  - it: should use custom file path when customFiltersFile is specified
+    set:
+      stac-auth-proxy.enabled: true
+      stac-auth-proxy.customFiltersFile: "data/eoepca_filters.py"
+      stac-auth-proxy.extraVolumes:
+        - name: filters
+          configMap:
+            name: test-filters
+    template: templates/core/stac-auth-proxy-filters-configmap.yaml
+    asserts:
+      - isKind:
+          of: ConfigMap
+      - equal:
+          path: metadata.name
+          value: eoapi-stac-auth-proxy-custom-filters
+      - isNotEmpty:
+          path: data

charts/eoapi/values.yaml

@@ -416,18 +416,45 @@ stac:
 stac-auth-proxy:
   enabled: false
   image:
-    tag: "v0.11.0"
-  env:
-    ROOT_PATH: "/stac"
-    OVERRIDE_HOST: "false"
-    DEFAULT_PUBLIC: "true"
-    # UPSTREAM_URL will be set dynamically in template to point to stac service
-    # OIDC_DISCOVERY_URL must be configured when enabling auth
+    tag: "v0.11.1"
   ingress:
     enabled: false  # Handled by main eoapi ingress
   service:
     port: 8080
   resources: {}
+  env:
+    # OIDC_DISCOVERY_URL must be configured when enabling auth (required)
+    ROOT_PATH: "/stac"
+    OVERRIDE_HOST: "false"
+    # UPSTREAM_URL will be set dynamically in template to point to stac service
+    #
+    # Authentication filters settings:
+    DEFAULT_PUBLIC: "true" # This enables standard profile for authentication filters
+    # Alternatively with the following settings custom filters can be added
+    # These must be mounted with extraVolumes/extraVolumeMounts (see below)
+    # COLLECTIONS_FILTER_CLS: stac_auth_proxy.custom_filters:CollectionsFilter
+    # ITEMS_FILTER_CLS: stac_auth_proxy.custom_filters:ItemsFilter
+
+  # Path to custom filters file (relative to chart root)
+  # When extraVolumes is configured, a ConfigMap will be created from this file
+  # customFiltersFile: "data/stac-auth-proxy/custom_filters.py"
+
+  # Additional volumes to mount (e.g., for custom filter files)
+  extraVolumes: []
+  # Example:
+  # extraVolumes:
+  #   - name: filters
+  #     configMap:
+  #       name: stac-auth-proxy-filters
+  #
+  # Additional volume mounts for the container
+  extraVolumeMounts: []
+  # Example:
+  # extraVolumeMounts:
+  #   - name: filters
+  #     mountPath: /app/src/stac_auth_proxy/custom_filters.py
+  #     subPath: custom_filters.py
+  #     readOnly: true
 
 vector:
   enabled: true

tests/integration/test_stac_auth.py

@@ -106,3 +106,119 @@ def test_stac_read_operations_work(stac_endpoint: str) -> None:
 
     resp = client.get(f"{stac_endpoint}/collections")
     assert resp.status_code == 200
+
+
+def test_stac_auth_custom_filters_mounted() -> None:
+    """Test that custom filters ConfigMap, env vars, and file mount work correctly."""
+    import subprocess
+
+    namespace = os.getenv("NAMESPACE", "eoapi")
+    release = os.getenv("RELEASE_NAME", "eoapi")
+
+    # Check ConfigMap exists
+    result = subprocess.run(
+        [
+            "kubectl",
+            "get",
+            "configmap",
+            "-n",
+            namespace,
+            "eoapi-stac-auth-proxy-custom-filters",
+            "-o",
+            "jsonpath={.data.custom_filters\\.py}",
+        ],
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+    if result.returncode != 0:
+        pytest.skip("Custom filters ConfigMap not found (feature may be disabled)")
+
+    # Verify ConfigMap contains filter classes
+    assert "class CollectionsFilter" in result.stdout
+    assert "class ItemsFilter" in result.stdout
+
+    # Get stac-auth-proxy pod name
+    result = subprocess.run(
+        [
+            "kubectl",
+            "get",
+            "pod",
+            "-n",
+            namespace,
+            "-l",
+            f"app.kubernetes.io/name=stac-auth-proxy,app.kubernetes.io/instance={release}",
+            "-o",
+            "jsonpath={.items[0].metadata.name}",
+        ],
+        capture_output=True,
+        text=True,
+        check=True,
+    )
+    pod_name = result.stdout.strip()
+
+    if not pod_name:
+        pytest.skip("stac-auth-proxy pod not found")
+
+    # Check env vars are set
+    result = subprocess.run(
+        [
+            "kubectl",
+            "exec",
+            "-n",
+            namespace,
+            pod_name,
+            "--",
+            "printenv",
+            "COLLECTIONS_FILTER_CLS",
+        ],
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+    assert result.returncode == 0, "COLLECTIONS_FILTER_CLS env var not set"
+    assert (
+        "stac_auth_proxy.custom_filters:CollectionsFilter" in result.stdout
+    ), f"Unexpected COLLECTIONS_FILTER_CLS value: {result.stdout}"
+
+    result = subprocess.run(
+        [
+            "kubectl",
+            "exec",
+            "-n",
+            namespace,
+            pod_name,
+            "--",
+            "printenv",
+            "ITEMS_FILTER_CLS",
+        ],
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+    assert result.returncode == 0, "ITEMS_FILTER_CLS env var not set"
+    assert (
+        "stac_auth_proxy.custom_filters:ItemsFilter" in result.stdout
+    ), f"Unexpected ITEMS_FILTER_CLS value: {result.stdout}"
+
+    # Check if custom_filters.py is mounted at correct path
+    result = subprocess.run(
+        [
+            "kubectl",
+            "exec",
+            "-n",
+            namespace,
+            pod_name,
+            "--",
+            "cat",
+            "/app/src/stac_auth_proxy/custom_filters.py",
+        ],
+        capture_output=True,
+        text=True,
+        check=True,
+    )
+
+    # Verify mounted file contains expected filter classes
+    assert "class CollectionsFilter" in result.stdout
+    assert "class ItemsFilter" in result.stdout
+    assert 'return "1=1"' in result.stdout