docker compose examples + test updates + basic_auth module tweaks

Author: pedro-cf

docker-compose.basic_auth_protected.yml

@@ -0,0 +1,94 @@
+version: '3.9'
+
+services:
+  app-elasticsearch:
+    container_name: stac-fastapi-es
+    image: stac-utils/stac-fastapi-es
+    restart: always
+    build:
+      context: .
+      dockerfile: dockerfiles/Dockerfile.dev.es
+    environment:
+      - STAC_FASTAPI_TITLE=stac-fastapi-elasticsearch
+      - STAC_FASTAPI_DESCRIPTION=A STAC FastAPI with an Elasticsearch backend
+      - STAC_FASTAPI_VERSION=2.1
+      - APP_HOST=0.0.0.0
+      - APP_PORT=8080
+      - RELOAD=true
+      - ENVIRONMENT=local
+      - WEB_CONCURRENCY=10
+      - ES_HOST=elasticsearch
+      - ES_PORT=9200
+      - ES_USE_SSL=false
+      - ES_VERIFY_CERTS=false
+      - BACKEND=elasticsearch
+      - BASIC_AUTH={"users":[{"username":"admin","password":"admin","permissions":"*"},{"username":"reader","password":"reader","permissions":[{"path":"/","method":["GET"]},{"path":"/conformance","method":["GET"]},{"path":"/collections/{collection_id}/items/{item_id}","method":["GET"]},{"path":"/search","method":["GET","POST"]},{"path":"/collections","method":["GET"]},{"path":"/collections/{collection_id}","method":["GET"]},{"path":"/collections/{collection_id}/items","method":["GET"]},{"path":"/queryables","method":["GET"]},{"path":"/queryables/collections/{collection_id}/queryables","method":["GET"]},{"path":"/_mgmt/ping","method":["GET"]}]}]}
+    ports:
+      - "8080:8080"
+    volumes:
+      - ./stac_fastapi:/app/stac_fastapi
+      - ./scripts:/app/scripts
+      - ./esdata:/usr/share/elasticsearch/data
+    depends_on:
+      - elasticsearch
+    command:
+      bash -c "./scripts/wait-for-it-es.sh es-container:9200 && python -m stac_fastapi.elasticsearch.app"
+
+  app-opensearch:
+    container_name: stac-fastapi-os
+    image: stac-utils/stac-fastapi-os
+    restart: always
+    build:
+      context: .
+      dockerfile: dockerfiles/Dockerfile.dev.os
+    environment:
+      - STAC_FASTAPI_TITLE=stac-fastapi-opensearch
+      - STAC_FASTAPI_DESCRIPTION=A STAC FastAPI with an Opensearch backend
+      - STAC_FASTAPI_VERSION=2.1
+      - APP_HOST=0.0.0.0
+      - APP_PORT=8082
+      - RELOAD=true
+      - ENVIRONMENT=local
+      - WEB_CONCURRENCY=10
+      - ES_HOST=opensearch
+      - ES_PORT=9202
+      - ES_USE_SSL=false
+      - ES_VERIFY_CERTS=false
+      - BACKEND=opensearch
+      - BASIC_AUTH={"users":[{"username":"admin","password":"admin","permissions":"*"},{"username":"reader","password":"reader","permissions":[{"path":"/","method":["GET"]},{"path":"/conformance","method":["GET"]},{"path":"/collections/{collection_id}/items/{item_id}","method":["GET"]},{"path":"/search","method":["GET","POST"]},{"path":"/collections","method":["GET"]},{"path":"/collections/{collection_id}","method":["GET"]},{"path":"/collections/{collection_id}/items","method":["GET"]},{"path":"/queryables","method":["GET"]},{"path":"/queryables/collections/{collection_id}/queryables","method":["GET"]},{"path":"/_mgmt/ping","method":["GET"]}]}]}
+    ports:
+      - "8082:8082"
+    volumes:
+      - ./stac_fastapi:/app/stac_fastapi
+      - ./scripts:/app/scripts
+      - ./osdata:/usr/share/opensearch/data
+    depends_on:
+      - opensearch
+    command:
+      bash -c "./scripts/wait-for-it-es.sh os-container:9202 && python -m stac_fastapi.opensearch.app"
+
+  elasticsearch:
+    container_name: es-container
+    image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTICSEARCH_VERSION:-8.11.0}
+    hostname: elasticsearch
+    environment:
+      ES_JAVA_OPTS: -Xms512m -Xmx1g
+    volumes:
+      - ./elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
+      - ./elasticsearch/snapshots:/usr/share/elasticsearch/snapshots
+    ports:
+      - "9200:9200"
+
+  opensearch:
+    container_name: os-container
+    image: opensearchproject/opensearch:${OPENSEARCH_VERSION:-2.11.1}
+    hostname: opensearch
+    environment:
+      - discovery.type=single-node
+      - plugins.security.disabled=true
+      - OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m
+    volumes:
+      - ./opensearch/config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
+      - ./opensearch/snapshots:/usr/share/opensearch/snapshots
+    ports:
+      - "9202:9202"

docker-compose.basic_auth_public.yml

@@ -0,0 +1,94 @@
+version: '3.9'
+
+services:
+  app-elasticsearch:
+    container_name: stac-fastapi-es
+    image: stac-utils/stac-fastapi-es
+    restart: always
+    build:
+      context: .
+      dockerfile: dockerfiles/Dockerfile.dev.es
+    environment:
+      - STAC_FASTAPI_TITLE=stac-fastapi-elasticsearch
+      - STAC_FASTAPI_DESCRIPTION=A STAC FastAPI with an Elasticsearch backend
+      - STAC_FASTAPI_VERSION=2.1
+      - APP_HOST=0.0.0.0
+      - APP_PORT=8080
+      - RELOAD=true
+      - ENVIRONMENT=local
+      - WEB_CONCURRENCY=10
+      - ES_HOST=elasticsearch
+      - ES_PORT=9200
+      - ES_USE_SSL=false
+      - ES_VERIFY_CERTS=false
+      - BACKEND=elasticsearch
+      - BASIC_AUTH={"public_endpoints":[{"path":"/","method":"GET"},{"path":"/conformance","method":"GET"},{"path":"/collections/{collection_id}/items/{item_id}","method":"GET"},{"path":"/search","method":"GET"},{"path":"/search","method":"POST"},{"path":"/collections","method":"GET"},{"path":"/collections/{collection_id}","method":"GET"},{"path":"/collections/{collection_id}/items","method":"GET"},{"path":"/queryables","method":"GET"},{"path":"/queryables/collections/{collection_id}/queryables","method":"GET"},{"path":"/_mgmt/ping","method":"GET"}],"users":[{"username":"admin","password":"admin","permissions":[{"path":"/","method":["GET"]},{"path":"/conformance","method":["GET"]},{"path":"/collections/{collection_id}/items/{item_id}","method":["GET","POST","PUT","DELETE"]},{"path":"/search","method":["GET","POST"]},{"path":"/collections","method":["GET","PUT","POST"]},{"path":"/collections/{collection_id}","method":["GET","DELETE"]},{"path":"/collections/{collection_id}/items","method":["GET","POST"]},{"path":"/queryables","method":["GET"]},{"path":"/queryables/collections/{collection_id}/queryables","method":["GET"]},{"path":"/_mgmt/ping","method":["GET"]}]}]}
+    ports:
+      - "8080:8080"
+    volumes:
+      - ./stac_fastapi:/app/stac_fastapi
+      - ./scripts:/app/scripts
+      - ./esdata:/usr/share/elasticsearch/data
+    depends_on:
+      - elasticsearch
+    command:
+      bash -c "./scripts/wait-for-it-es.sh es-container:9200 && python -m stac_fastapi.elasticsearch.app"
+
+  app-opensearch:
+    container_name: stac-fastapi-os
+    image: stac-utils/stac-fastapi-os
+    restart: always
+    build:
+      context: .
+      dockerfile: dockerfiles/Dockerfile.dev.os
+    environment:
+      - STAC_FASTAPI_TITLE=stac-fastapi-opensearch
+      - STAC_FASTAPI_DESCRIPTION=A STAC FastAPI with an Opensearch backend
+      - STAC_FASTAPI_VERSION=2.1
+      - APP_HOST=0.0.0.0
+      - APP_PORT=8082
+      - RELOAD=true
+      - ENVIRONMENT=local
+      - WEB_CONCURRENCY=10
+      - ES_HOST=opensearch
+      - ES_PORT=9202
+      - ES_USE_SSL=false
+      - ES_VERIFY_CERTS=false
+      - BACKEND=opensearch
+      - BASIC_AUTH={"public_endpoints":[{"path":"/","method":"GET"},{"path":"/conformance","method":"GET"},{"path":"/collections/{collection_id}/items/{item_id}","method":"GET"},{"path":"/search","method":"GET"},{"path":"/search","method":"POST"},{"path":"/collections","method":"GET"},{"path":"/collections/{collection_id}","method":"GET"},{"path":"/collections/{collection_id}/items","method":"GET"},{"path":"/queryables","method":"GET"},{"path":"/queryables/collections/{collection_id}/queryables","method":"GET"},{"path":"/_mgmt/ping","method":"GET"}],"users":[{"username":"admin","password":"admin","permissions":[{"path":"/","method":["GET"]},{"path":"/conformance","method":["GET"]},{"path":"/collections/{collection_id}/items/{item_id}","method":["GET","POST","PUT","DELETE"]},{"path":"/search","method":["GET","POST"]},{"path":"/collections","method":["GET","PUT","POST"]},{"path":"/collections/{collection_id}","method":["GET","DELETE"]},{"path":"/collections/{collection_id}/items","method":["GET","POST"]},{"path":"/queryables","method":["GET"]},{"path":"/queryables/collections/{collection_id}/queryables","method":["GET"]},{"path":"/_mgmt/ping","method":["GET"]}]}]}
+    ports:
+      - "8082:8082"
+    volumes:
+      - ./stac_fastapi:/app/stac_fastapi
+      - ./scripts:/app/scripts
+      - ./osdata:/usr/share/opensearch/data
+    depends_on:
+      - opensearch
+    command:
+      bash -c "./scripts/wait-for-it-es.sh os-container:9202 && python -m stac_fastapi.opensearch.app"
+
+  elasticsearch:
+    container_name: es-container
+    image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTICSEARCH_VERSION:-8.11.0}
+    hostname: elasticsearch
+    environment:
+      ES_JAVA_OPTS: -Xms512m -Xmx1g
+    volumes:
+      - ./elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
+      - ./elasticsearch/snapshots:/usr/share/elasticsearch/snapshots
+    ports:
+      - "9200:9200"
+
+  opensearch:
+    container_name: os-container
+    image: opensearchproject/opensearch:${OPENSEARCH_VERSION:-2.11.1}
+    hostname: opensearch
+    environment:
+      - discovery.type=single-node
+      - plugins.security.disabled=true
+      - OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m
+    volumes:
+      - ./opensearch/config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
+      - ./opensearch/snapshots:/usr/share/opensearch/snapshots
+    ports:
+      - "9202:9202"

stac_fastapi/elasticsearch/stac_fastapi/elasticsearch/basic_auth.py

@@ -1,6 +1,7 @@
 """Basic Authentication Module."""
 
 import json
+import logging
 import os
 import secrets
 from typing import Any, Dict
@@ -12,13 +13,13 @@
 
 from stac_fastapi.api.app import StacApi
 
-security = HTTPBasic()
-
+_SECURITY = HTTPBasic()
+_LOGGER = logging.getLogger("uvicorn.default")
 _BASIC_AUTH: Dict[str, Any] = {}
 
 
 def has_access(
-    request: Request, credentials: Annotated[HTTPBasicCredentials, Depends(security)]
+    request: Request, credentials: Annotated[HTTPBasicCredentials, Depends(_SECURITY)]
 ) -> str:
     """Check if the provided credentials match the expected \
         username and password stored in environment variables for basic authentication.
@@ -90,13 +91,13 @@ def apply_basic_auth(api: StacApi) -> None:
 
     basic_auth_json_str = os.environ.get("BASIC_AUTH")
     if not basic_auth_json_str:
-        print("Basic authentication disabled.")
+        _LOGGER.info("Basic authentication disabled.")
         return
 
     try:
         _BASIC_AUTH = json.loads(basic_auth_json_str)
     except json.JSONDecodeError as exception:
-        print(f"Invalid JSON format for BASIC_AUTH. {exception=}")
+        _LOGGER.error(f"Invalid JSON format for BASIC_AUTH. {exception=}")
         raise
     public_endpoints = _BASIC_AUTH.get("public_endpoints", [])
     users = _BASIC_AUTH.get("users")
@@ -111,4 +112,4 @@ def apply_basic_auth(api: StacApi) -> None:
                 if endpoint not in public_endpoints:
                     api.add_route_dependencies([endpoint], [Depends(has_access)])
 
-    print("Basic authentication enabled.")
+    _LOGGER.info("Basic authentication enabled.")

stac_fastapi/opensearch/stac_fastapi/opensearch/basic_auth.py

@@ -1,6 +1,7 @@
 """Basic Authentication Module."""
 
 import json
+import logging
 import os
 import secrets
 from typing import Any, Dict
@@ -12,13 +13,13 @@
 
 from stac_fastapi.api.app import StacApi
 
-security = HTTPBasic()
-
+_SECURITY = HTTPBasic()
+_LOGGER = logging.getLogger("uvicorn.default")
 _BASIC_AUTH: Dict[str, Any] = {}
 
 
 def has_access(
-    request: Request, credentials: Annotated[HTTPBasicCredentials, Depends(security)]
+    request: Request, credentials: Annotated[HTTPBasicCredentials, Depends(_SECURITY)]
 ) -> str:
     """Check if the provided credentials match the expected \
         username and password stored in environment variables for basic authentication.
@@ -90,13 +91,13 @@ def apply_basic_auth(api: StacApi) -> None:
 
     basic_auth_json_str = os.environ.get("BASIC_AUTH")
     if not basic_auth_json_str:
-        print("Basic authentication disabled.")
+        _LOGGER.info("Basic authentication disabled.")
         return
 
     try:
         _BASIC_AUTH = json.loads(basic_auth_json_str)
     except json.JSONDecodeError as exception:
-        print(f"Invalid JSON format for BASIC_AUTH. {exception=}")
+        _LOGGER.error(f"Invalid JSON format for BASIC_AUTH. {exception=}")
         raise
     public_endpoints = _BASIC_AUTH.get("public_endpoints", [])
     users = _BASIC_AUTH.get("users")
@@ -111,4 +112,4 @@ def apply_basic_auth(api: StacApi) -> None:
                 if endpoint not in public_endpoints:
                     api.add_route_dependencies([endpoint], [Depends(has_access)])
 
-    print("Basic authentication enabled.")
+    _LOGGER.info("Basic authentication enabled.")

stac_fastapi/tests/basic_auth/test_basic_auth.py

@@ -12,7 +12,7 @@ async def test_get_search_not_authenticated(app_client_basic_auth, ctx):
 
     response = await app_client_basic_auth.get("/search", params=params)
 
-    assert response.status_code == 200
+    assert response.status_code == 200, response
     assert response.json()["features"][0]["geometry"] == ctx.item["geometry"]
 
 
@@ -26,26 +26,68 @@ async def test_post_search_authenticated(app_client_basic_auth, ctx):
 
     response = await app_client_basic_auth.post("/search", json=params, headers=headers)
 
-    assert response.status_code == 200
+    assert response.status_code == 200, response
     assert response.json()["features"][0]["geometry"] == ctx.item["geometry"]
 
 
 @pytest.mark.asyncio
-async def test_delete_resource_insufficient_permissions(app_client_basic_auth):
+async def test_delete_resource_anonymous(
+    app_client_basic_auth,
+):
+    """Test protected delete collection without auhtentication"""
+    if not os.getenv("BASIC_AUTH"):
+        pytest.skip()
+
+    response = await app_client_basic_auth.delete("/collections/test-collection")
+
+    assert response.status_code == 401
+    assert response.json() == {"detail": "Not authenticated"}
+
+
+@pytest.mark.asyncio
+async def test_delete_resource_invalid_credentials(app_client_basic_auth, ctx):
+    """Test protected delete collection with admin auhtentication"""
+    if not os.getenv("BASIC_AUTH"):
+        pytest.skip()
+
+    headers = {"Authorization": "Basic YWRtaW46cGFzc3dvcmQ="}
+
+    response = await app_client_basic_auth.delete(
+        f"/collections/{ctx.collection['id']}", headers=headers
+    )
+
+    assert response.status_code == 401
+    assert response.json() == {"detail": "Incorrect username or password"}
+
+
+@pytest.mark.asyncio
+async def test_delete_resource_insufficient_permissions(app_client_basic_auth, ctx):
     """Test protected delete collection with reader auhtentication"""
     if not os.getenv("BASIC_AUTH"):
         pytest.skip()
-    headers = {
-        "Authorization": "Basic cmVhZGVyOnJlYWRlcg=="
-    }  # Assuming this is a valid authorization token
+
+    headers = {"Authorization": "Basic cmVhZGVyOnJlYWRlcg=="}
 
     response = await app_client_basic_auth.delete(
-        "/collections/test-collection", headers=headers
+        f"/collections/{ctx.collection['id']}", headers=headers
     )
 
-    assert (
-        response.status_code == 403
-    )  # Expecting a 403 status code for insufficient permissions
+    assert response.status_code == 403
     assert response.json() == {
         "detail": "Insufficient permissions for [DELETE /collections/test-collection]"
     }
+
+
+@pytest.mark.asyncio
+async def test_delete_resource_sufficient_permissions(app_client_basic_auth, ctx):
+    """Test protected delete collection with admin auhtentication"""
+    if not os.getenv("BASIC_AUTH"):
+        pytest.skip()
+
+    headers = {"Authorization": "Basic YWRtaW46YWRtaW4="}
+
+    response = await app_client_basic_auth.delete(
+        f"/collections/{ctx.collection['id']}", headers=headers
+    )
+
+    assert response.status_code == 204