-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add optional auth tooling #8
Changes from all commits
7273fb2
c64186c
b542594
66830f5
2a26318
7fa43d1
aec1edb
54d4eda
b4e4353
31b60f5
0d79d87
a08b758
58e256b
886ca38
996f5a6
c0d699a
0dc2503
8ef74c7
d3a1bc0
c92bb11
a836183
b24c612
74fcfc3
357809b
3587e2b
9d28d25
0a01be1
ac41c1b
d87f15c
4975469
26fe978
c248b7b
92f4465
b784e1c
1a71e98
94628bd
aa30f7d
78b75a0
4996c8b
ca88be8
51e58d7
a7e6333
f1037a9
2e11d2f
9810b7d
a7b0163
896f185
6a14ee1
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
# TODO: Rm when https://github.com/radiantearth/stac-browser/pull/461 is merged | ||
# echo a string, handling different types | ||
safe_echo() { | ||
# $1 = value | ||
if [ -z "$1" ]; then | ||
echo -n "null" | ||
elif printf '%s\n' "$1" | grep -qE '\n.+\n$'; then | ||
echo -n "\`$1\`" | ||
else | ||
echo -n "'$1'" | ||
fi | ||
} | ||
|
||
# handle boolean | ||
bool() { | ||
# $1 = value | ||
case "$1" in | ||
true | TRUE | yes | t | True) | ||
echo -n true | ||
;; | ||
false | FALSE | no | n | False) | ||
echo -n false | ||
;; | ||
*) | ||
echo "Err: Unknown boolean value \"$1\"" >&2 | ||
exit 1 | ||
;; | ||
esac | ||
} | ||
|
||
# handle array values | ||
array() { | ||
# $1 = value | ||
# $2 = arraytype | ||
if [ -z "$1" ]; then | ||
echo -n "[]" | ||
else | ||
case "$2" in | ||
string) | ||
echo -n "['$(echo "$1" | sed "s/,/', '/g")']" | ||
;; | ||
*) | ||
echo -n "[$1]" | ||
;; | ||
esac | ||
fi | ||
} | ||
|
||
# handle object values | ||
object() { | ||
# $1 = value | ||
if [ -z "$1" ]; then | ||
echo -n "null" | ||
else | ||
echo -n "$1" | ||
fi | ||
} | ||
|
||
config_schema=$(cat /etc/nginx/conf.d/config.schema.json) | ||
|
||
# Iterate over environment variables with "SB_" prefix | ||
env -0 | cut -f1 -d= | tr '\0' '\n' | grep "^SB_" | { | ||
echo "window.STAC_BROWSER_CONFIG = {" | ||
while IFS='=' read -r name; do | ||
# Strip the prefix | ||
argname="${name#SB_}" | ||
# Read the variable's value | ||
value="$(eval "echo \"\$$name\"")" | ||
|
||
# Get the argument type from the schema | ||
argtype="$(echo "$config_schema" | jq -r ".properties.$argname.type[0]")" | ||
arraytype="$(echo "$config_schema" | jq -r ".properties.$argname.items.type[0]")" | ||
|
||
# Encode key/value | ||
echo -n " $argname: " | ||
case "$argtype" in | ||
string) | ||
safe_echo "$value" | ||
;; | ||
boolean) | ||
bool "$value" | ||
;; | ||
integer | number | object) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Customization added in radiantearth/stac-browser#461 |
||
object "$value" | ||
;; | ||
array) | ||
array "$value" "$arraytype" | ||
;; | ||
*) | ||
safe_echo "$value" | ||
;; | ||
esac | ||
echo "," | ||
done | ||
echo "}" | ||
} >/usr/share/nginx/html/config.js |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,6 +7,7 @@ | |
|
||
import jinja2 | ||
import pystac | ||
from eoapi.auth_utils import OpenIdConnectAuth, OpenIdConnectSettings | ||
from fastapi import Depends, FastAPI, Query | ||
from psycopg import OperationalError | ||
from psycopg.rows import dict_row | ||
|
@@ -38,12 +39,15 @@ | |
from titiler.pgstac.reader import PgSTACReader | ||
|
||
from . import __version__ as eoapi_raster_version | ||
from . import config, logs | ||
from .config import ApiSettings | ||
from .logs import init_logging | ||
|
||
settings = ApiSettings() | ||
auth_settings = OpenIdConnectSettings() | ||
|
||
settings = config.ApiSettings() | ||
|
||
# Logs | ||
logs.init_logging( | ||
init_logging( | ||
debug=settings.debug, | ||
loggers={ | ||
"botocore.credentials": { | ||
|
@@ -95,6 +99,10 @@ async def lifespan(app: FastAPI): | |
docs_url="/api.html", | ||
root_path=settings.root_path, | ||
lifespan=lifespan, | ||
swagger_ui_init_oauth={ | ||
"clientId": auth_settings.client_id, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. when client_id is set to There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The |
||
"usePkceWithAuthorizationCodeGrant": auth_settings.use_pkce, | ||
}, | ||
) | ||
add_exception_handlers(app, DEFAULT_STATUS_CODES) | ||
add_exception_handlers(app, MOSAIC_STATUS_CODES) | ||
|
@@ -404,3 +412,16 @@ def landing(request: Request): | |
"urlparams": str(request.url.query), | ||
}, | ||
) | ||
|
||
|
||
# Add dependencies to routes | ||
if auth_settings.openid_configuration_url: | ||
oidc_auth = OpenIdConnectAuth.from_settings(auth_settings) | ||
|
||
restricted_prefixes = ["/collections", "/searches"] | ||
for route in app.routes: | ||
if any( | ||
route.path.startswith(f"{app.root_path}{prefix}") | ||
for prefix in restricted_prefixes | ||
): | ||
oidc_auth.apply_auth_dependencies(route, required_token_scopes=[]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Critical for getting custom config working.