From ea0e1aee4b6a6aec68a043a5017fe1113a644fee Mon Sep 17 00:00:00 2001
From: Felix Delattre <felix@developmentseed.org>
Date: Mon, 15 Dec 2025 22:48:20 +0100
Subject: [PATCH] Added custom filter logic for stac-auth-proxy.

---
 CHANGELOG.md                                  |  1 +
 .../data/stac-auth-proxy/custom_filters.py    | 27 +++++++
 .../stac-auth-proxy-filters-configmap.yaml    | 16 ++++
 .../tests/stac-auth-proxy-filters_test.yaml   | 77 +++++++++++++++++++
 charts/eoapi/values.yaml                      | 34 +++++++-
 5 files changed, 151 insertions(+), 4 deletions(-)
 create mode 100644 charts/eoapi/data/stac-auth-proxy/custom_filters.py
 create mode 100644 charts/eoapi/templates/core/stac-auth-proxy-filters-configmap.yaml
 create mode 100644 charts/eoapi/tests/stac-auth-proxy-filters_test.yaml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d0dbc188..95df3a8a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - Added support for annotations on the PgSTAC bootstrap job via `pgstacBootstrap.jobAnnotations` in values.yaml [#381](https://github.com/developmentseed/eoapi-k8s/pull/381)
+- Added support for custom filters configuration via `customFiltersFile` in values.yaml [#388](https://github.com/developmentseed/eoapi-k8s/pull/388)
 
 ### Fixed
 
diff --git a/charts/eoapi/data/stac-auth-proxy/custom_filters.py b/charts/eoapi/data/stac-auth-proxy/custom_filters.py
new file mode 100644
index 00000000..47224674
--- /dev/null
+++ b/charts/eoapi/data/stac-auth-proxy/custom_filters.py
@@ -0,0 +1,27 @@
+"""
+Sample custom filters for STAC Auth Proxy.
+This file demonstrates the structure needed for custom collection and item filters.
+"""
+
+import dataclasses
+from typing import Any
+
+
+@dataclasses.dataclass
+class CollectionsFilter:
+    """Filter collections based on user permissions."""
+
+    async def __call__(self, context: dict[str, Any]) -> str:
+        """Return True if user can access this collection."""
+        # Example: Allow all collections for authenticated users
+        return "1=1"
+
+
+@dataclasses.dataclass
+class ItemsFilter:
+    """Filter items based on user permissions."""
+
+    async def __call__(self, context: dict[str, Any]) -> str:
+        """Return True if user can access this item."""
+        # Example: Allow all items for authenticated users
+        return "1=1"
diff --git a/charts/eoapi/templates/core/stac-auth-proxy-filters-configmap.yaml b/charts/eoapi/templates/core/stac-auth-proxy-filters-configmap.yaml
new file mode 100644
index 00000000..eff2ab52
--- /dev/null
+++ b/charts/eoapi/templates/core/stac-auth-proxy-filters-configmap.yaml
@@ -0,0 +1,16 @@
+{{- if index .Values "stac-auth-proxy" "enabled" }}
+{{- $stacAuthProxy := index .Values "stac-auth-proxy" }}
+{{- if and (hasKey $stacAuthProxy "extraVolumes") $stacAuthProxy.extraVolumes }}
+{{- $filterFile := $stacAuthProxy.customFiltersFile | default "data/stac-auth-proxy/custom_filters.py" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-stac-auth-proxy-filters
+  labels:
+    {{- include "eoapi.labels" . | nindent 4 }}
+    app.kubernetes.io/component: stac-auth-proxy
+data:
+  custom_filters.py: |
+{{ .Files.Get $filterFile | indent 4 }}
+{{- end }}
+{{- end }}
diff --git a/charts/eoapi/tests/stac-auth-proxy-filters_test.yaml b/charts/eoapi/tests/stac-auth-proxy-filters_test.yaml
new file mode 100644
index 00000000..f89b5985
--- /dev/null
+++ b/charts/eoapi/tests/stac-auth-proxy-filters_test.yaml
@@ -0,0 +1,77 @@
+suite: test stac-auth-proxy custom filters ConfigMap
+templates:
+  - templates/_helpers/core.tpl
+  - templates/core/stac-auth-proxy-filters-configmap.yaml
+
+tests:
+  - it: should create ConfigMap when stac-auth-proxy is enabled and extraVolumes is defined
+    set:
+      stac-auth-proxy.enabled: true
+      stac-auth-proxy.extraVolumes:
+        - name: filters
+          configMap:
+            name: test-filters
+    template: templates/core/stac-auth-proxy-filters-configmap.yaml
+    asserts:
+      - isKind:
+          of: ConfigMap
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-stac-auth-proxy-filters
+      - isNotEmpty:
+          path: data
+
+  - it: should not create ConfigMap when stac-auth-proxy is disabled
+    set:
+      stac-auth-proxy.enabled: false
+      stac-auth-proxy.extraVolumes:
+        - name: filters
+          configMap:
+            name: test-filters
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should not create ConfigMap when extraVolumes is not defined
+    set:
+      stac-auth-proxy.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should have correct labels
+    set:
+      stac-auth-proxy.enabled: true
+      stac-auth-proxy.extraVolumes:
+        - name: filters
+          configMap:
+            name: test-filters
+    template: templates/core/stac-auth-proxy-filters-configmap.yaml
+    asserts:
+      - equal:
+          path: metadata.labels["app.kubernetes.io/component"]
+          value: stac-auth-proxy
+      - exists:
+          path: metadata.labels["app.kubernetes.io/name"]
+      - exists:
+          path: metadata.labels["app.kubernetes.io/instance"]
+      - exists:
+          path: metadata.labels["helm.sh/chart"]
+
+  - it: should use custom file path when customFiltersFile is specified
+    set:
+      stac-auth-proxy.enabled: true
+      stac-auth-proxy.customFiltersFile: "data/eoepca_filters.py"
+      stac-auth-proxy.extraVolumes:
+        - name: filters
+          configMap:
+            name: test-filters
+    template: templates/core/stac-auth-proxy-filters-configmap.yaml
+    asserts:
+      - isKind:
+          of: ConfigMap
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-stac-auth-proxy-filters
+      - isNotEmpty:
+          path: data
diff --git a/charts/eoapi/values.yaml b/charts/eoapi/values.yaml
index 62608f00..927f2c21 100644
--- a/charts/eoapi/values.yaml
+++ b/charts/eoapi/values.yaml
@@ -415,15 +415,41 @@ stac:
 # STAC Auth Proxy - authentication layer for STAC API
 stac-auth-proxy:
   enabled: false
-  env:
-    DEFAULT_PUBLIC: "true"
-    # UPSTREAM_URL will be set dynamically in template to point to stac service
-    # OIDC_DISCOVERY_URL must be configured when enabling auth
   ingress:
     enabled: false  # Handled by main eoapi ingress
   service:
     port: 8080
   resources: {}
+  env:
+    # OIDC_DISCOVERY_URL must be configured when enabling auth
+    # UPSTREAM_URL will be set dynamically in template to point to stac service
+    #
+    # Authentication filters settings:
+    DEFAULT_PUBLIC: "true" # This enables standard profile for authentication filters
+    # Alternatively with the following settings custom filters can be added
+    # These must be mounted with extraVolumes/extraVolumeMounts (see below)
+    # COLLECTIONS_FILTER_CLS: stac_auth_proxy.custom_filters:CollectionsFilter
+    # ITEMS_FILTER_CLS: stac_auth_proxy.custom_filters:ItemsFilter
+
+  # Path to custom filters file (relative to chart root)
+  # When extraVolumes is configured, a ConfigMap will be created from this file
+  # customFiltersFile: "data/stac-auth-proxy/custom_filters.py"
+
+  # Additional volumes to mount (e.g., for custom filter files)
+  extraVolumes: []
+  # Example:
+  # extraVolumes:
+  #   - name: filters
+  #     configMap:
+  #       name: stac-auth-proxy-filters
+  # Additional volume mounts for the container
+  extraVolumeMounts: []
+  # Example:
+  # extraVolumeMounts:
+  #   - name: filters
+  #     mountPath: /app/src/stac_auth_proxy/custom_filters.py
+  #     subPath: custom_filters.py
+  #     readOnly: true
 
 vector:
   enabled: true