Merge branch 'release/2024.1.3' into main

Author: mmcfarland

.env.sample

@@ -11,10 +11,10 @@ REACT_APP_ONEDS_TENANT_KEY=
 REACT_APP_API_ROOT=https://planetarycomputer-staging.microsoft.com
 
 # Root URL for image function app endpoints
-REACT_APP_IMAGE_API_ROOT=
+REACT_APP_IMAGE_API_ROOT=https://planetarycomputer-staging.microsoft.com/api/f
 
-# Subscription key for Azure Maps
-REACT_APP_AZMAPS_KEY=
+# Client Id for Azure Maps
+REACT_APP_AZMAPS_CLIENT_ID=8f49b6d6-5845-4e20-9015-9630df1ca8d2
 
 # URL for JHub cloned repo launch (including 'git-pull')
 REACT_APP_HUB_URL=

.github/workflows/azure-static-web-apps-icy-meadow-0fc35e30f.yml

@@ -11,6 +11,8 @@ on:
 
 jobs:
   build_and_deploy_job:
+    permissions:
+      pull-requests: write
     environment: staging
     if:
       github.event_name == 'push' || (github.event_name == 'pull_request' &&
@@ -20,10 +22,9 @@ jobs:
     env:
       REACT_APP_API_ROOT: ${{ secrets.API_ROOT }}
       REACT_APP_IMAGE_API_ROOT: ${{ secrets.IMAGE_API_ROOT }}
+      REACT_APP_AZMAPS_CLIENT_ID: ${{ secrets.AZMAPS_CLIENT_ID }}
       REACT_APP_ONEDS_TENANT_KEY: ${{ secrets.ONEDS_TENANT_KEY }}
-      REACT_APP_AZMAPS_KEY: ${{ secrets.AZMAPS_KEY }}
       REACT_APP_HUB_URL: ${{ secrets.HUB_URL }}
-      REACT_APP_AUTH_URL: ${{ secrets.AUTH_URL }}
     steps:
       - uses: actions/checkout@v3
         with:

.github/workflows/azure-static-web-apps-thankful-sand-0ed34c70f.yml

@@ -11,6 +11,8 @@ on:
 
 jobs:
   build_and_deploy_job:
+    permissions:
+      pull-requests: write
     environment: production
     if:
       github.event_name == 'push' || (github.event_name == 'pull_request' &&
@@ -20,9 +22,8 @@ jobs:
     env:
       REACT_APP_API_ROOT: ${{ secrets.API_ROOT }}
       REACT_APP_IMAGE_API_ROOT: ${{ secrets.IMAGE_API_ROOT }}
-      REACT_APP_JSLL_APP_ID: ${{ secrets.JSLL_APP_ID }}
+      REACT_APP_AZMAPS_CLIENT_ID: ${{ secrets.AZMAPS_CLIENT_ID }}
       REACT_APP_ONEDS_TENANT_KEY: ${{ secrets.ONEDS_TENANT_KEY }}
-      REACT_APP_AZMAPS_KEY: ${{ secrets.AZMAPS_KEY }}
       REACT_APP_HUB_URL: ${{ secrets.HUB_URL }}
     steps:
       - uses: actions/checkout@v3

.github/workflows/azure-static-web-apps-wonderful-stone-06c70c70f.yml

@@ -11,6 +11,8 @@ on:
 
 jobs:
   build_and_deploy_job:
+    permissions:
+      pull-requests: write
     environment: test
     if:
       github.event_name == 'push' || (github.event_name == 'pull_request' &&
@@ -20,10 +22,9 @@ jobs:
     env:
       REACT_APP_API_ROOT: ${{ secrets.API_ROOT }}
       REACT_APP_IMAGE_API_ROOT: ${{ secrets.IMAGE_API_ROOT }}
+      REACT_APP_AZMAPS_CLIENT_ID: ${{ secrets.AZMAPS_CLIENT_ID }}
       REACT_APP_ONEDS_TENANT_KEY: ${{ secrets.ONEDS_TENANT_KEY }}
-      REACT_APP_AZMAPS_KEY: ${{ secrets.AZMAPS_KEY }}
       REACT_APP_HUB_URL: ${{ secrets.HUB_URL }}
-      REACT_APP_AUTH_URL: ${{ secrets.AUTH_URL }}
     steps:
       - uses: actions/checkout@v3
         with:

README.md

@@ -68,12 +68,29 @@ First, copy `.env.sample` file to `.env`, and ensure the configuration values ar
 |`REACT_APP_API_ROOT`| <https://planetarycomputer-staging.microsoft.com> | The root URL for the STAC API, either prod, staging or a local instance. If the URL ends in 'stac', this is a special case that is handled by replacing 'stac' with the target service, e.g. 'data' or 'sas'
 |`REACT_APP_TILER_ROOT`| Optional | The root URL for the data tiler API, if not hosted from the domain of the STAC API.
 |`REACT_APP_IMAGE_API_ROOT`| PC APIs pcfunc endpoint | The root URL for the image data API for animations.
-|`REACT_APP_AZMAPS_KEY`| Retrieve from Azure Portal | The key used to authenticate the Azure Maps inset map on a dataset detail page.
+|`REACT_APP_AZMAPS_CLIENT_ID`| Retrieve from Azure Portal | The Client ID used to authenticate against Azure Maps.
 |`REACT_APP_HUB_URL`| Optional. URL to root Hub instance | Used to enable a request to launch the Hub with a specific git hosted file.
 |`REACT_APP_ONEDS_TENANT_KEY`| Lookup at <https://1dswhitelisting.azurewebsites.net/> | Telemetry key (not needed for dev)
 |`REACT_APP_AUTH_URL`| Optional. URL to root pc-session-api instance | Used to enable login work.
 
-Run `./scripts/server` to launch a development server.
+Run `./scripts/server --api` to launch a development server with a local Azure Functions host running.
+
+#### Azure Maps
+
+In the local development setups, the Azure Maps token is generated using the local developer identity. Be sure to
+`az login` and `az account set --subscription "Planetary Computer"` to ensure the correct token is generated. Your identity
+will also need the "Azure Maps Search and Render Data Reader" permission, which can be set with:
+
+```sh
+USER_NAME=$(az account show --query user.name -o tsv)
+az role assignment create \
+    --assignee "$USER_NAME" \
+    --role "Azure Maps Search and Render Data Reader" \
+    --scope "/subscriptions/9da7523a-cb61-4c3e-b1d4-afa5fc6d2da9/resourceGroups/pc-datacatalog-rg/providers/Microsoft.Maps/accounts/pc-datacatalog-azmaps" \
+    --subscription "Planetary Computer"
+```
+
+Note, you may need to assign this role via an identity that has JIT admin privileges enabled against the Planetary Computer subscription.
 
 #### Developing against local STAC assets
 

api/Dockerfile

@@ -1,10 +1,19 @@
-FROM mcr.microsoft.com/azure-functions/python:4-python3.9
+FROM mcr.microsoft.com/azure-cli:cbl-mariner2.0
 
 ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
     AzureFunctionsJobHost__Logging__Console__IsEnabled=true
 
+RUN tdnf install libicu unzip wget -y
+RUN wget https://github.com/Azure/azure-functions-core-tools/releases/download/4.0.5530/Azure.Functions.Cli.linux-x64.4.0.5530.zip
+RUN mkdir -p /usr/local/lib/Azure.Functions.Cli
+RUN unzip Azure.Functions.Cli.linux-x64.4.0.5530.zip -d /usr/local/lib/Azure.Functions.Cli
+RUN chmod +x /usr/local/lib/Azure.Functions.Cli/func
+
+ENV PATH="/usr/local/lib/Azure.Functions.Cli:${PATH}"
+
+RUN python3 -m ensurepip --upgrade
 COPY requirements.txt /
-RUN pip install -r /requirements.txt
+RUN pip3 install -r /requirements.txt
 
 COPY requirements-dev.txt /
-RUN pip install -r /requirements-dev.txt
+RUN pip3 install -r /requirements-dev.txt

api/README.md

@@ -12,12 +12,12 @@ To set appropriate configuration values for the Function app, copy the `local.se
 
 The `local.settings.json` file has the following keys in the Values section:
 
-|Key|KeyVault Key|Purpose|
-|---|---|---|
-|`NotificationHook`|  | URL to send Teams notification on new Account Request
-|`AuthAdminUrl`| | URL to the PC ID admin page which contains the signup table. Used in the Teams notification message.
-|`SignupUrl`| | URL to POST new user content to on submission
-|`SignupToken` | `pc-id--request-auth-token` | Bearer token required to make the above POST request
+| Key                | KeyVault Key                | Purpose                                                                                              |
+|--------------------|-----------------------------|------------------------------------------------------------------------------------------------------|
+| `NotificationHook` |                             | URL to send Teams notification on new Account Request                                                |
+| `AuthAdminUrl`     |                             | URL to the PC ID admin page which contains the signup table. Used in the Teams notification message. |
+| `SignupUrl`        |                             | URL to POST new user content to on submission                                                        |
+| `SignupToken`      | `pc-id--request-auth-token` | Bearer token required to make the above POST request                                                 |
 
 ### Production
 

api/map-token/__init__.py

@@ -0,0 +1,38 @@
+import json
+import logging
+from typing import TypedDict
+
+import azure.functions as func
+
+from azure.identity import DefaultAzureCredential
+from azure.core.exceptions import ClientAuthenticationError
+
+logger = logging.getLogger("api.maps-token")
+# For performance, exclude checking options we know won't be used
+credential = DefaultAzureCredential(
+    exclude_environment_credential=True,
+    exclude_developer_cli_credential=True,
+    exclude_powershell_credential=True,
+    exclude_visual_studio_code_credential=True,
+)
+
+
+class TokenResponse(TypedDict):
+    token: str
+    expires_on: int
+
+
+def main(req: func.HttpRequest) -> func.HttpResponse:
+
+    logger.debug("Python HTTP trigger function processed a request.")
+    try:
+        logger.debug("Getting azure maps token")
+        token = credential.get_token("https://atlas.microsoft.com/.default")
+        logger.debug("Token acquired")
+
+        resp: TokenResponse = {"token": token.token, "expires_on": token.expires_on}
+
+        return func.HttpResponse(status_code=200, body=json.dumps(resp))
+    except ClientAuthenticationError:
+        logger.exception(f"Error getting azure maps token")
+        return func.HttpResponse("Error getting token", status_code=500)

api/map-token/function.json

@@ -0,0 +1,19 @@
+{
+  "scriptFile": "__init__.py",
+  "bindings": [
+    {
+      "authLevel": "function",
+      "type": "httpTrigger",
+      "direction": "in",
+      "name": "req",
+      "methods": [
+        "get"
+      ]
+    },
+    {
+      "type": "http",
+      "direction": "out",
+      "name": "$return"
+    }
+  ]
+}

api/requirements.txt

@@ -3,4 +3,5 @@
 # Manually managing azure-functions-worker may cause unexpected issues
 
 azure-functions==1.11.2
+azure-identity==1.15.0
 requests==2.31.0