basic_auth + tests

Author: pedro-cf

stac_fastapi/core/setup.py

@@ -18,6 +18,7 @@
     "overrides",
     "geojson-pydantic",
     "pygeofilter==0.2.1",
+    "typing_extensions==4.4.0",
 ]
 
 setup(

stac_fastapi/elasticsearch/stac_fastapi/elasticsearch/app.py

@@ -12,6 +12,7 @@
 )
 from stac_fastapi.core.extensions import QueryExtension
 from stac_fastapi.core.session import Session
+from stac_fastapi.elasticsearch.basic_auth import apply_basic_auth
 from stac_fastapi.elasticsearch.config import ElasticsearchSettings
 from stac_fastapi.elasticsearch.database_logic import (
     DatabaseLogic,
@@ -77,6 +78,8 @@
 app = api.app
 app.root_path = os.getenv("STAC_FASTAPI_ROOT_PATH", "")
 
+apply_basic_auth(api)
+
 
 @app.on_event("startup")
 async def _startup_event() -> None:

stac_fastapi/elasticsearch/stac_fastapi/elasticsearch/basic_auth.py

@@ -0,0 +1,114 @@
+"""Basic Authentication Module."""
+
+import json
+import os
+import secrets
+from typing import Any, Dict
+
+from fastapi import Depends, HTTPException, Request, status
+from fastapi.routing import APIRoute
+from fastapi.security import HTTPBasic, HTTPBasicCredentials
+from typing_extensions import Annotated
+
+from stac_fastapi.api.app import StacApi
+
+security = HTTPBasic()
+
+_BASIC_AUTH: Dict[str, Any] = {}
+
+
+def has_access(
+    request: Request, credentials: Annotated[HTTPBasicCredentials, Depends(security)]
+) -> str:
+    """Check if the provided credentials match the expected \
+        username and password stored in environment variables for basic authentication.
+
+    Args:
+        request (Request): The FastAPI request object.
+        credentials (HTTPBasicCredentials): The HTTP basic authentication credentials.
+
+    Returns:
+        str: The username if authentication is successful.
+
+    Raises:
+        HTTPException: If authentication fails due to incorrect username or password.
+    """
+    global _BASIC_AUTH
+
+    users = _BASIC_AUTH.get("users")
+    user: Dict[str, Any] = next(
+        (u for u in users if u.get("username") == credentials.username), {}
+    )
+
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect username or password",
+            headers={"WWW-Authenticate": "Basic"},
+        )
+
+    # Compare the provided username and password with the correct ones using compare_digest
+    if not secrets.compare_digest(
+        credentials.username.encode("utf-8"), user.get("username").encode("utf-8")
+    ) or not secrets.compare_digest(
+        credentials.password.encode("utf-8"), user.get("password").encode("utf-8")
+    ):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect username or password",
+            headers={"WWW-Authenticate": "Basic"},
+        )
+
+    permissions = user.get("permissions", [])
+    path = request.url.path
+    method = request.method
+
+    if permissions == "*":
+        return credentials.username
+    for permission in permissions:
+        if permission["path"] == path and method in permission.get("method", []):
+            return credentials.username
+
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail=f"Insufficient permissions for [{method} {path}]",
+    )
+
+
+def apply_basic_auth(api: StacApi) -> None:
+    """Apply basic authentication to the provided FastAPI application \
+        based on environment variables for username, password, and endpoints.
+
+    Args:
+        api (StacApi): The FastAPI application.
+
+    Raises:
+        HTTPException: If there are issues with the configuration or format
+                       of the environment variables.
+    """
+    global _BASIC_AUTH
+
+    basic_auth_json_str = os.environ.get("BASIC_AUTH")
+    if not basic_auth_json_str:
+        print("Basic authentication disabled.")
+        return
+
+    try:
+        _BASIC_AUTH = json.loads(basic_auth_json_str)
+    except json.JSONDecodeError as exception:
+        print(f"Invalid JSON format for BASIC_AUTH. {exception=}")
+        raise
+    public_endpoints = _BASIC_AUTH.get("public_endpoints", [])
+    users = _BASIC_AUTH.get("users")
+    if not users:
+        raise Exception("Invalid JSON format for BASIC_AUTH. Key 'users' undefined.")
+
+    app = api.app
+    for route in app.routes:
+        if isinstance(route, APIRoute):
+            for method in route.methods:
+                endpoint = {"path": route.path, "method": method}
+                if endpoint not in public_endpoints:
+                    api.add_route_dependencies([endpoint], [Depends(has_access)])
+
+    print("Basic authentication enabled.")

stac_fastapi/opensearch/stac_fastapi/opensearch/app.py

@@ -21,6 +21,7 @@
     TransactionExtension,
 )
 from stac_fastapi.extensions.third_party import BulkTransactionExtension
+from stac_fastapi.opensearch.basic_auth import apply_basic_auth
 from stac_fastapi.opensearch.config import OpensearchSettings
 from stac_fastapi.opensearch.database_logic import (
     DatabaseLogic,
@@ -77,6 +78,8 @@
 app = api.app
 app.root_path = os.getenv("STAC_FASTAPI_ROOT_PATH", "")
 
+apply_basic_auth(api)
+
 
 @app.on_event("startup")
 async def _startup_event() -> None:

stac_fastapi/opensearch/stac_fastapi/opensearch/basic_auth.py

@@ -0,0 +1,114 @@
+"""Basic Authentication Module."""
+
+import json
+import os
+import secrets
+from typing import Any, Dict
+
+from fastapi import Depends, HTTPException, Request, status
+from fastapi.routing import APIRoute
+from fastapi.security import HTTPBasic, HTTPBasicCredentials
+from typing_extensions import Annotated
+
+from stac_fastapi.api.app import StacApi
+
+security = HTTPBasic()
+
+_BASIC_AUTH: Dict[str, Any] = {}
+
+
+def has_access(
+    request: Request, credentials: Annotated[HTTPBasicCredentials, Depends(security)]
+) -> str:
+    """Check if the provided credentials match the expected \
+        username and password stored in environment variables for basic authentication.
+
+    Args:
+        request (Request): The FastAPI request object.
+        credentials (HTTPBasicCredentials): The HTTP basic authentication credentials.
+
+    Returns:
+        str: The username if authentication is successful.
+
+    Raises:
+        HTTPException: If authentication fails due to incorrect username or password.
+    """
+    global _BASIC_AUTH
+
+    users = _BASIC_AUTH.get("users")
+    user: Dict[str, Any] = next(
+        (u for u in users if u.get("username") == credentials.username), {}
+    )
+
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect username or password",
+            headers={"WWW-Authenticate": "Basic"},
+        )
+
+    # Compare the provided username and password with the correct ones using compare_digest
+    if not secrets.compare_digest(
+        credentials.username.encode("utf-8"), user.get("username").encode("utf-8")
+    ) or not secrets.compare_digest(
+        credentials.password.encode("utf-8"), user.get("password").encode("utf-8")
+    ):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect username or password",
+            headers={"WWW-Authenticate": "Basic"},
+        )
+
+    permissions = user.get("permissions", [])
+    path = request.url.path
+    method = request.method
+
+    if permissions == "*":
+        return credentials.username
+    for permission in permissions:
+        if permission["path"] == path and method in permission.get("method", []):
+            return credentials.username
+
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail=f"Insufficient permissions for [{method} {path}]",
+    )
+
+
+def apply_basic_auth(api: StacApi) -> None:
+    """Apply basic authentication to the provided FastAPI application \
+        based on environment variables for username, password, and endpoints.
+
+    Args:
+        api (StacApi): The FastAPI application.
+
+    Raises:
+        HTTPException: If there are issues with the configuration or format
+                       of the environment variables.
+    """
+    global _BASIC_AUTH
+
+    basic_auth_json_str = os.environ.get("BASIC_AUTH")
+    if not basic_auth_json_str:
+        print("Basic authentication disabled.")
+        return
+
+    try:
+        _BASIC_AUTH = json.loads(basic_auth_json_str)
+    except json.JSONDecodeError as exception:
+        print(f"Invalid JSON format for BASIC_AUTH. {exception=}")
+        raise
+    public_endpoints = _BASIC_AUTH.get("public_endpoints", [])
+    users = _BASIC_AUTH.get("users")
+    if not users:
+        raise Exception("Invalid JSON format for BASIC_AUTH. Key 'users' undefined.")
+
+    app = api.app
+    for route in app.routes:
+        if isinstance(route, APIRoute):
+            for method in route.methods:
+                endpoint = {"path": route.path, "method": method}
+                if endpoint not in public_endpoints:
+                    api.add_route_dependencies([endpoint], [Depends(has_access)])
+
+    print("Basic authentication enabled.")

stac_fastapi/tests/basic_auth/basic_auth.py

@@ -0,0 +1,51 @@
+import os
+
+import pytest
+
+
+@pytest.mark.asyncio
+async def test_get_search_not_authenticated(app_client_basic_auth, ctx):
+    """Test public endpoint search without authentication"""
+    if not os.getenv("BASIC_AUTH"):
+        pytest.skip()
+    params = {"id": ctx.item["id"]}
+
+    response = await app_client_basic_auth.get("/search", params=params)
+
+    assert response.status_code == 200
+    assert response.json()["features"][0]["geometry"] == ctx.item["geometry"]
+
+
+@pytest.mark.asyncio
+async def test_post_search_authenticated(app_client_basic_auth, ctx):
+    """Test protected post search with reader auhtentication"""
+    if not os.getenv("BASIC_AUTH"):
+        pytest.skip()
+    params = {"id": ctx.item["id"]}
+    headers = {"Authorization": "Basic cmVhZGVyOnJlYWRlcg=="}
+
+    response = await app_client_basic_auth.post("/search", json=params, headers=headers)
+
+    assert response.status_code == 200
+    assert response.json()["features"][0]["geometry"] == ctx.item["geometry"]
+
+
+@pytest.mark.asyncio
+async def test_delete_resource_insufficient_permissions(app_client_basic_auth):
+    """Test protected delete collection with reader auhtentication"""
+    if not os.getenv("BASIC_AUTH"):
+        pytest.skip()
+    headers = {
+        "Authorization": "Basic cmVhZGVyOnJlYWRlcg=="
+    }  # Assuming this is a valid authorization token
+
+    response = await app_client_basic_auth.delete(
+        "/collections/test-collection", headers=headers
+    )
+
+    assert (
+        response.status_code == 403
+    )  # Expecting a 403 status code for insufficient permissions
+    assert response.json() == {
+        "detail": "Insufficient permissions for [DELETE /collections/test-collection]"
+    }

stac_fastapi/tests/conftest.py

@@ -25,6 +25,7 @@
         create_collection_index,
         create_index_templates,
     )
+    from stac_fastapi.opensearch.basic_auth import apply_basic_auth
 else:
     from stac_fastapi.elasticsearch.config import (
         ElasticsearchSettings as SearchSettings,
@@ -35,6 +36,7 @@
         create_collection_index,
         create_index_templates,
     )
+    from stac_fastapi.elasticsearch.basic_auth import apply_basic_auth
 
 from stac_fastapi.extensions.core import (  # FieldsExtension,
     ContextExtension,
@@ -222,3 +224,51 @@ async def app_client(app):
 
     async with AsyncClient(app=app, base_url="http://test-server") as c:
         yield c
+
+
+@pytest_asyncio.fixture(scope="session")
+async def app_basic_auth():
+    settings = AsyncSettings()
+    extensions = [
+        TransactionExtension(
+            client=TransactionsClient(
+                database=database, session=None, settings=settings
+            ),
+            settings=settings,
+        ),
+        ContextExtension(),
+        SortExtension(),
+        FieldsExtension(),
+        QueryExtension(),
+        TokenPaginationExtension(),
+        FilterExtension(),
+    ]
+
+    post_request_model = create_post_request_model(extensions)
+
+    stac_api = StacApi(
+        settings=settings,
+        client=CoreClient(
+            database=database,
+            session=None,
+            extensions=extensions,
+            post_request_model=post_request_model,
+        ),
+        extensions=extensions,
+        search_get_request_model=create_get_request_model(extensions),
+        search_post_request_model=post_request_model,
+    )
+    
+    os.environ["BASIC_AUTH"] = '{"public_endpoints":[{"path":"/","method":"GET"},{"path":"/search","method":"GET"}],"users":[{"username":"admin","password":"admin","permissions":"*"},{"username":"reader","password":"reader","permissions":[{"path":"/conformance","method":["GET"]},{"path":"/collections/{collection_id}/items/{item_id}","method":["GET"]},{"path":"/search","method":["POST"]},{"path":"/collections","method":["GET"]},{"path":"/collections/{collection_id}","method":["GET"]},{"path":"/collections/{collection_id}/items","method":["GET"]},{"path":"/queryables","method":["GET"]},{"path":"/queryables/collections/{collection_id}/queryables","method":["GET"]},{"path":"/_mgmt/ping","method":["GET"]}]}]}'
+    apply_basic_auth(stac_api)
+    
+    return stac_api.app
+
+
+@pytest_asyncio.fixture(scope="session")
+async def app_client_basic_auth(app_basic_auth):
+    await create_index_templates()
+    await create_collection_index()
+
+    async with AsyncClient(app=app_basic_auth, base_url="http://test-server") as c:
+        yield c