More tests for authentication.

Author: pantierra

charts/eoapi/profiles/experimental.yaml

@@ -370,11 +370,14 @@ stac-auth-proxy:
   enabled: true
   service:
     port: 8080
-  # Wait for mock-oidc to be ready in testing scenarios
+  # Wait for dependencies to be ready before starting stac-auth-proxy
   initContainers:
     - name: wait-for-mock-oidc
       image: busybox:1.35
       command: ['sh', '-c', 'until nc -z eoapi-mock-oidc-server.eoapi.svc.cluster.local 8080; do echo waiting for mock-oidc; sleep 2; done']
+    - name: wait-for-stac
+      image: busybox:1.35
+      command: ['sh', '-c', 'until nc -z eoapi-stac.eoapi.svc.cluster.local 8080; do echo waiting for stac service; sleep 2; done']
   env:
     UPSTREAM_URL: "http://eoapi-stac:8080"
     # For testing one could deploy a mock OIDC server (https://github.com/alukach/mock-oidc-server)

charts/eoapi/templates/core/stac-auth-proxy-patch.yaml

@@ -27,6 +27,7 @@ spec:
       - name: patch-deployment
         image: bitnami/kubectl:latest
         imagePullPolicy: IfNotPresent
+        # Use python3 for JSON manipulation (bitnami/kubectl includes python3)
         command:
         - /bin/bash
         - -c
@@ -45,7 +46,8 @@ spec:
             exit 0
           fi
           echo "Patching deployment with initContainers..."
-          INIT_CONTAINERS_JSON='{{ index .Values "stac-auth-proxy" "initContainers" | toJson }}'
+          # Use Helm templating to replace service names in the JSON string
+          INIT_CONTAINERS_JSON='{{ index .Values "stac-auth-proxy" "initContainers" | toJson | replace "eoapi-stac.eoapi" (printf "%s-stac.%s" .Release.Name .Release.Namespace) | replace "eoapi-mock-oidc-server.eoapi" (printf "%s-mock-oidc-server.%s" .Release.Name .Release.Namespace) }}'
           kubectl patch deployment "$DEPLOYMENT_NAME" -n "$NAMESPACE" --type='json' -p="[{\"op\":\"add\",\"path\":\"/spec/template/spec/initContainers\",\"value\":$INIT_CONTAINERS_JSON}]"
           echo "Waiting for rollout..."
           kubectl rollout status deployment/"$DEPLOYMENT_NAME" -n "$NAMESPACE" --timeout=300s

scripts/deploy.sh

@@ -393,8 +393,13 @@ deploy_eoapi() {
 
         # Set UPSTREAM_URL and OIDC_DISCOVERY_URL dynamically for stac-auth-proxy when experimental profile is used
         # The experimental profile enables stac-auth-proxy, so we need to set the correct service names
+        # Also configure STAC service to run without root path when behind auth proxy
         HELM_CMD="$HELM_CMD --set stac-auth-proxy.env.UPSTREAM_URL=http://$RELEASE_NAME-stac:8080"
         HELM_CMD="$HELM_CMD --set stac-auth-proxy.env.OIDC_DISCOVERY_URL=http://$RELEASE_NAME-mock-oidc-server.$NAMESPACE.svc.cluster.local:8080/.well-known/openid-configuration"
+        # Note: initContainer service names are dynamically replaced by the stac-auth-proxy-patch job
+        # Configure STAC service to run without root path when behind auth proxy
+        # Empty string makes STAC service run at root path (no --root-path argument)
+        HELM_CMD="$HELM_CMD --set 'stac.overrideRootPath='"
 
         HELM_CMD="$HELM_CMD --set eoapi-notifier.enabled=true"
         HELM_CMD="$HELM_CMD --set eoapi-notifier.config.sources[0].config.connection.existingSecret.name=$RELEASE_NAME-pguser-eoapi"

scripts/deployment.sh

@@ -86,9 +86,14 @@ run_deployment() {
 
     # Set UPSTREAM_URL and OIDC_DISCOVERY_URL dynamically for stac-auth-proxy when experimental profile is used
     # The experimental profile enables stac-auth-proxy, so we need to set the correct service names
+    # Also configure STAC service to run without root path when behind auth proxy
     if [[ "$use_experimental" == "true" ]]; then
         helm_cmd="$helm_cmd --set stac-auth-proxy.env.UPSTREAM_URL=http://$RELEASE_NAME-stac:8080"
         helm_cmd="$helm_cmd --set stac-auth-proxy.env.OIDC_DISCOVERY_URL=http://$RELEASE_NAME-mock-oidc-server.$NAMESPACE.svc.cluster.local:8080/.well-known/openid-configuration"
+        # Note: initContainer service names are dynamically replaced by the stac-auth-proxy-patch job
+        # Configure STAC service to run without root path when behind auth proxy
+        # Empty string makes STAC service run at root path (no --root-path argument)
+        helm_cmd="$helm_cmd --set 'stac.overrideRootPath='"
     fi
 
     if is_ci; then

tests/integration/test_stac_auth.py

@@ -3,8 +3,6 @@
 import json
 import os
 import subprocess
-import time
-from datetime import datetime, timedelta
 from typing import Generator
 
 import httpx
@@ -19,12 +17,11 @@
 
 @pytest.fixture(scope="module")
 def mock_oidc_server() -> Generator[str, None, None]:
-    """Use or deploy mock OIDC server for testing."""
+    """Use Helm-deployed mock OIDC server for testing."""
     namespace = os.getenv("NAMESPACE", "eoapi")
     release_name = os.getenv("RELEASE_NAME", "eoapi")
-    deployed_by_fixture = False
 
-    # Check if mock OIDC server is already deployed by helm
+    # Check if mock OIDC server is deployed by Helm
     result = subprocess.run(
         [
             "kubectl",
@@ -40,201 +37,39 @@ def mock_oidc_server() -> Generator[str, None, None]:
         text=True,
     )
 
-    if result.returncode == 0:
-        # Mock OIDC server is already deployed by helm
-        deployment = json.loads(result.stdout)
-        if deployment.get("status", {}).get("readyReplicas", 0) > 0:
-            # Server is ready, use it
-            oidc_url = f"http://{release_name}-mock-oidc-server.{namespace}.svc.cluster.local:8080"
-            yield oidc_url
-            return  # Don't cleanup helm-deployed server
-
-    # If not deployed by helm, deploy it manually for testing
-    deployed_by_fixture = True
-    deployment_yaml = f"""
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: mock-oidc-server
-  namespace: {namespace}
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: mock-oidc-server
-  template:
-    metadata:
-      labels:
-        app: mock-oidc-server
-    spec:
-      containers:
-      - name: mock-oidc
-        image: ghcr.io/alukach/mock-oidc-server:latest
-        env:
-        - name: MOCK_OIDC_PORT
-          value: "8888"
-        - name: MOCK_OIDC_CLIENT_ID
-          value: "test-client"
-        - name: MOCK_OIDC_CLIENT_SECRET
-          value: "test-secret"
-        ports:
-        - containerPort: 8888
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: mock-oidc-server
-  namespace: {namespace}
-spec:
-  selector:
-    app: mock-oidc-server
-  ports:
-  - port: 8080
-    targetPort: 8888
-"""
-
-    # Apply deployment
-    result = subprocess.run(
-        ["kubectl", "apply", "-f", "-"],
-        input=deployment_yaml,
-        text=True,
-        capture_output=True,
-    )
     if result.returncode != 0:
-        pytest.skip(f"Failed to deploy mock OIDC server: {result.stderr}")
-
-    # Wait for pod to be ready
-    for _ in range(30):
-        result = subprocess.run(
-            [
-                "kubectl",
-                "get",
-                "pods",
-                "-n",
-                namespace,
-                "-l",
-                "app=mock-oidc-server",
-                "--field-selector=status.phase=Running",
-                "-o",
-                "json",
-            ],
-            capture_output=True,
-            text=True,
-        )
-        if result.returncode == 0:
-            pods = json.loads(result.stdout)
-            if pods.get("items"):
-                break
-        time.sleep(2)
-    else:
-        pytest.skip("Mock OIDC server failed to start")
-
-    # Update stac-auth-proxy to use mock OIDC server (only if deployed by fixture)
-    oidc_url = f"http://mock-oidc-server.{namespace}.svc.cluster.local:8080"
-    if deployed_by_fixture:
-        subprocess.run(
-            [
-                "kubectl",
-                "set",
-                "env",
-                f"deployment/{release_name}-stac-auth-proxy",
-                f"OIDC_DISCOVERY_URL={oidc_url}/.well-known/openid-configuration",
-                "DEFAULT_PUBLIC=true",
-                "-n",
-                namespace,
-            ],
-            capture_output=True,
+        pytest.skip(
+            "Mock OIDC server not deployed. Enable mockOidcServer in Helm values."
         )
 
-        # Wait for stac-auth-proxy to restart and become ready
-        time.sleep(5)
-        for _ in range(30):
-            result = subprocess.run(
-                [
-                    "kubectl",
-                    "get",
-                    "pods",
-                    "-n",
-                    namespace,
-                    "-l",
-                    f"app.kubernetes.io/instance={release_name},app.kubernetes.io/name=stac-auth-proxy",
-                    "--field-selector=status.phase=Running",
-                    "-o",
-                    "json",
-                ],
-                capture_output=True,
-                text=True,
-            )
-            if result.returncode == 0:
-                pods = json.loads(result.stdout)
-                if pods.get("items") and len(pods["items"]) > 0:
-                    # Check if auth proxy started successfully with new config
-                    result = subprocess.run(
-                        [
-                            "kubectl",
-                            "logs",
-                            f"deployment/{release_name}-stac-auth-proxy",
-                            "-n",
-                            namespace,
-                            "--tail=5",
-                        ],
-                        capture_output=True,
-                        text=True,
-                    )
-                    if "Application startup complete" in result.stdout:
-                        break
-            time.sleep(2)
+    # Verify the server is ready
+    deployment = json.loads(result.stdout)
+    if deployment.get("status", {}).get("readyReplicas", 0) == 0:
+        pytest.skip("Mock OIDC server not ready")
 
+    # Return the service URL - no manual deployment or cleanup needed
+    oidc_url = f"http://{release_name}-mock-oidc-server.{namespace}.svc.cluster.local:8080"
     yield oidc_url
 
-    # Cleanup only if deployed by this fixture
-    if deployed_by_fixture:
-        subprocess.run(
-            [
-                "kubectl",
-                "delete",
-                "deployment",
-                "mock-oidc-server",
-                "-n",
-                namespace,
-            ],
-            capture_output=True,
-        )
-        subprocess.run(
-            [
-                "kubectl",
-                "delete",
-                "service",
-                "mock-oidc-server",
-                "-n",
-                namespace,
-            ],
-            capture_output=True,
-        )
-
 
 @pytest.fixture
-def valid_token(mock_oidc_server: str) -> str:
-    """Generate valid JWT token."""
-    try:
-        import jwt
-    except ImportError:
-        pytest.skip("pyjwt not installed")
+def dummy_token(mock_oidc_server: str) -> str:
+    """Create a dummy JWT token for testing auth proxy behavior.
+
+    This is a dummy token used to test that the auth proxy is correctly
+    processing Authorization headers and rejecting invalid tokens.
+
+    Args:
+        mock_oidc_server: URL of the mock OIDC server (unused but required for fixture)
 
-    payload = {
-        "sub": "test-user",
-        "email": "[email protected]",
-        "iss": mock_oidc_server,
-        "aud": "test-client",
-        "exp": datetime.utcnow() + timedelta(hours=1),
-        "iat": datetime.utcnow(),
-    }
-    # Mock OIDC server uses a simple secret
-    token = jwt.encode(payload, "test-secret", algorithm="HS256")
-    # Handle both str (newer PyJWT) and bytes (older PyJWT) return types
-    if isinstance(token, bytes):
-        return token.decode("utf-8")
-    return str(token)
+    Returns:
+        A dummy Bearer token string for testing
+
+    Note:
+        The actual token validation will fail, which is the expected behavior
+        since creating valid OIDC tokens requires complex authorization flows.
+    """
+    return "Bearer dummy-token-for-testing"
 
 
 def test_stac_write_create_item_without_token(
@@ -271,3 +106,77 @@ def test_stac_write_create_item_without_token(
     assert resp.status_code in [401, 403], (
         f"Expected 401 Unauthorized or 403 Forbidden, got {resp.status_code}"
     )
+
+
+def test_stac_write_create_item_with_dummy_token(
+    stac_endpoint: str, mock_oidc_server: str, dummy_token: str
+) -> None:
+    """Test that auth proxy correctly processes and rejects invalid tokens.
+
+    This test verifies the auth proxy is working by sending a request with
+    an invalid Authorization header. The expected behavior is rejection
+    with 401 or 403 status code.
+
+    Args:
+        stac_endpoint: The STAC API endpoint URL
+        mock_oidc_server: URL of the mock OIDC server (for test context)
+        dummy_token: A dummy Bearer token for testing
+
+    Validates:
+        - Auth proxy intercepts requests with Authorization headers
+        - Invalid tokens are properly rejected (401/403 response)
+        - Auth system is functioning correctly
+    """
+    # Attempt to create an item with invalid authorization
+    headers = {"Authorization": dummy_token}
+    resp = client.post(
+        f"{stac_endpoint}/collections/noaa-emergency-response/items",
+        headers=headers,
+        json={
+            "id": "test-auth-item-with-dummy-token",
+            "type": "Feature",
+            "stac_version": "1.0.0",
+            "properties": {"datetime": "2024-01-01T00:00:00Z"},
+            "geometry": {"type": "Point", "coordinates": [0, 0]},
+            "links": [],
+            "assets": {},
+            "collection": "noaa-emergency-response",
+            "bbox": [-0.1, -0.1, 0.1, 0.1],
+        },
+    )
+
+    # Verify auth proxy correctly rejects invalid token
+    assert resp.status_code in [401, 403], (
+        f"Expected 401 Unauthorized or 403 Forbidden with invalid token, "
+        f"got {resp.status_code}. This indicates the auth proxy may not be "
+        f"properly validating Authorization headers."
+    )
+
+
+def test_auth_proxy_integration_with_mock_oidc() -> None:
+    """Integration test to verify auth proxy can communicate with mock OIDC server.
+
+    This test verifies that the auth proxy can successfully:
+    1. Connect to the mock OIDC server
+    2. Retrieve OIDC configuration
+    3. Access JWKS for token validation
+    4. Validate properly signed JWT tokens
+    5. Allow authenticated write operations
+
+    Implementation approaches:
+    - Run tests in-cluster (e.g., as a Job or from another pod)
+    - Use kubectl port-forward to expose mock OIDC server
+    - Extract and use the mock server's actual RSA private key
+    - Create tokens using the server's token generation endpoint
+
+    Note: This test is currently skipped because it requires network access to
+    internal k8s services that aren't available from external test environments.
+    """
+    pytest.skip(
+        "This test requires network access to internal k8s services. "
+        "To implement:\n"
+        "1. Set up kubectl port-forward for mock OIDC server\n"
+        "2. Get valid token from http://localhost:PORT/ endpoint\n"
+        "3. Test STAC write operations with valid Authorization header\n"
+        "4. Verify 200/201 responses for authenticated requests"
+    )