Update OIDC handling and add policies (#57)

* Update OIDC handling

* Update documentation

* Update settings

docs/package/api/app.md

@@ -5,6 +5,7 @@
     * [register\_well\_known](#openeo_fastapi.api.app.OpenEOApi.register_well_known)
     * [register\_get\_capabilities](#openeo_fastapi.api.app.OpenEOApi.register_get_capabilities)
     * [register\_get\_conformance](#openeo_fastapi.api.app.OpenEOApi.register_get_conformance)
+    * [register\_get\_credentials\_oidc](#openeo_fastapi.api.app.OpenEOApi.register_get_credentials_oidc)
     * [register\_get\_file\_formats](#openeo_fastapi.api.app.OpenEOApi.register_get_file_formats)
     * [register\_get\_health](#openeo_fastapi.api.app.OpenEOApi.register_get_health)
     * [register\_get\_user\_info](#openeo_fastapi.api.app.OpenEOApi.register_get_user_info)
@@ -85,6 +86,16 @@ def register_get_conformance()
 
 Register endpoint for api conformance (GET /conformance).
 
+<a id="openeo_fastapi.api.app.OpenEOApi.register_get_credentials_oidc"></a>
+
+#### register\_get\_credentials\_oidc
+
+```python
+def register_get_credentials_oidc()
+```
+
+Register endpoint for api conformance (GET /conformance).
+
 <a id="openeo_fastapi.api.app.OpenEOApi.register_get_file_formats"></a>
 
 #### register\_get\_file\_formats
@@ -404,4 +415,3 @@ def __attrs_post_init__()
 ```
 
 Post-init hook responsible for setting up the application upon instantiation of the class.
-

docs/package/cli.md

@@ -27,7 +27,7 @@ Defining group for executor CLI.
 
 ```python
 @click.command()
-@click.option('--path', default=None, type=str)
+@click.option("--path", default=None, type=str)
 def new(path)
 ```
 

docs/package/client/settings.md

@@ -10,11 +10,12 @@
     * [OPENEO\_PREFIX](#openeo_fastapi.client.settings.AppSettings.OPENEO_PREFIX)
     * [OIDC\_URL](#openeo_fastapi.client.settings.AppSettings.OIDC_URL)
     * [OIDC\_ORGANISATION](#openeo_fastapi.client.settings.AppSettings.OIDC_ORGANISATION)
-    * [OIDC\_ROLES](#openeo_fastapi.client.settings.AppSettings.OIDC_ROLES)
+    * [OIDC\_POLICIES](#openeo_fastapi.client.settings.AppSettings.OIDC_POLICIES)
     * [STAC\_VERSION](#openeo_fastapi.client.settings.AppSettings.STAC_VERSION)
     * [STAC\_API\_URL](#openeo_fastapi.client.settings.AppSettings.STAC_API_URL)
     * [STAC\_COLLECTIONS\_WHITELIST](#openeo_fastapi.client.settings.AppSettings.STAC_COLLECTIONS_WHITELIST)
     * [ensure\_endswith\_slash](#openeo_fastapi.client.settings.AppSettings.ensure_endswith_slash)
+    * [split\_oidc\_policies\_str\_to\_list](#openeo_fastapi.client.settings.AppSettings.split_oidc_policies_str_to_list)
     * [Config](#openeo_fastapi.client.settings.AppSettings.Config)
 
 <a id="openeo_fastapi.client.settings"></a>
@@ -73,19 +74,37 @@ The OpenEO prefix to be used when creating the endpoint urls.
 
 #### OIDC\_URL
 
-The URL of the OIDC provider used to authenticate tokens against.
+The policies to be used for authenticated users with the backend, if not set, any usser with a valid token from the issuer is accepted.
 
 <a id="openeo_fastapi.client.settings.AppSettings.OIDC_ORGANISATION"></a>
 
 #### OIDC\_ORGANISATION
 
 The abbreviation of the OIDC provider's organisation name, e.g. egi.
 
-<a id="openeo_fastapi.client.settings.AppSettings.OIDC_ROLES"></a>
+<a id="openeo_fastapi.client.settings.AppSettings.OIDC_POLICIES"></a>
 
-#### OIDC\_ROLES
+#### OIDC\_POLICIES
 
-The OIDC roles to check against when authenticating a user.
+The OIDC policies to check against when authorizing a user. If not provided, all users with a valid token from the issuer will be admitted.
+
+"&&" Is used to denote the addition of another policy.
+Policies in the list should be structures as "key, value".
+The key referers to some value that is expected to be found in the OIDC userinfo request.
+The value referes to some value that is then checked for presence in the values found at the key location.
+
+**Example**:
+
+```
+{
+    "email": [email protected],
+    "groups" : [ "/staff" ]
+}
+
+A valid policy to allow members from the group staff would be, "groups, /staff". This would be the value provided to OIDC_POLICIES.
+
+If you wanted to include users from another group called "/trial", the updated value to OIDC_POLICIES would be, "groups, /staff && groups, /trial"
+```
 
 <a id="openeo_fastapi.client.settings.AppSettings.STAC_VERSION"></a>
 
@@ -116,6 +135,17 @@ def ensure_endswith_slash(cls, v: str) -> str
 
 Ensure the STAC_API_URL ends with a trailing slash.
 
+<a id="openeo_fastapi.client.settings.AppSettings.split_oidc_policies_str_to_list"></a>
+
+#### split\_oidc\_policies\_str\_to\_list
+
+```python
+@validator("OIDC_POLICIES", pre=True)
+def split_oidc_policies_str_to_list(cls, v: str) -> str
+```
+
+Ensure the OIDC_POLICIES are split and formatted correctly.
+
 <a id="openeo_fastapi.client.settings.AppSettings.Config"></a>
 
 ## Config Objects

docs/setup.md

@@ -1,6 +1,6 @@
 #  Getting Started
 
-Everything on this page is all you need to go from 0 to having your OpenEO Api server running locally. 
+Everything on this page is all you need to go from 0 to having your OpenEO Api server running locally.
 
 ## Environment Setup
 
@@ -65,19 +65,19 @@ Set the target metadata. In this example, I am importing from the **/psql/models
 
 ## Set the environment variables
 
-These variables need to be set in the environment of the deployment. Those marked required need to be set, and those set False, have some default value that only needs to be provided 
+These variables need to be set in the environment of the deployment. Those marked required need to be set, and those set False, have some default value that only needs to be provided
 
 | Variable    | Description | Required |
 | -------- | ------- | ------- |
-| API_DNS  | The domain name hosting the API. | True | 
+| API_DNS  | The domain name hosting the API. | True |
 | API_TLS  | Whether the API http scheme should be http or https.  | True |
-| API_TITLE  | The API title to be provided to FastAPI. | True | 
+| API_TITLE  | The API title to be provided to FastAPI. | True |
 | API_DESCRIPTION  | The API description to be provided to FastAPI. | True |
 | OPENEO_VERSION  | The OpenEO Api specification version supported in this deployment of the API. Defaults to "1.1.0". | False |
 | OPENEO_PREFIX  | The OpenEO prefix to be used when creating the endpoint urls. Defaults to the value of the openeo_version | True |
 | OIDC_URL  | The URL of the OIDC provider used to authenticate tokens against. | True |
 | OIDC_ORGANISATION  | The abbreviation of the OIDC provider's organisation name. | True |
-| OIDC_ROLES  | The OIDC roles to check against when authenticating a user. | False |
+| OIDC_POLICIES  | The OIDC policies user to check to authorize a user. | False |
 | STAC_VERSION  | The STAC Version that is being supported by this deployments data discovery endpoints. Defaults to "1.0.0". | False |
 | STAC_API_URL  | The STAC URL of the catalogue that the application deployment will proxy to. | True |
 | STAC_COLLECTIONS_WHITELIST  | The collection ids to filter by when proxying to the Stac catalogue. | False |
@@ -88,6 +88,7 @@ These variables need to be set in the environment of the deployment. Those marke
 | POSTGRES_DB  | The name of the databse being used on the host. | True |
 | ALEMBIC_DIR  | The path to the alembic directory for applying revisions. | True |
 
+
 ## Deploy the application.
 
 1. Revise the database.