Skip to content

feat(stac): add policy enforcement point to all create/update stac endpoints#571

Open
botanical wants to merge 18 commits intodevelopfrom
mt-uma/pep-stac-endpoints
Open

feat(stac): add policy enforcement point to all create/update stac endpoints#571
botanical wants to merge 18 commits intodevelopfrom
mt-uma/pep-stac-endpoints

Conversation

@botanical
Copy link
Member

@botanical botanical commented Mar 9, 2026
edited
Loading

Issue

#559

What?

  • Updates to extend PEP to STAC endpoints for collections where the action is a create or update
  • This takes a very naive approach to apply the policy enforcement point by relying on the request body's tenant value to determine permissions

Testing?

  • Unit and Integration tests updated
Test Case Expected Result Actual Result
User in tenant1 is able to update a collection in tenant1 Allow Allow
User in tenant1 and tenant2 is able to update a collection from tenant1 -> tenant2 Allow Allow
User in tenant1 and tenant2 and not tenant3 is not able to update a collection from tenant1 -> tenant3 Deny Deny
User in tenant1 only attempts to update a collection from tenant1 -> tenant2 Deny  Deny
User in tenant2 only attempts to update a collection from tenant1 -> tenant2 Allow  Allow
User in tenant1 and tenant2 and not tenant3 attempts to update a collection from tenant1 → tenant3 Deny  Deny
User in tenant1 and tenant3 updates a collection from tenant1 -> tenant3 Allow  Allow
User in tenant1 and tenant2 updates a collection from tenant2 -> tenant1 Allow  Allow
User with no tenant memberships updates a public collection (public -> public) Allow  Allow
User in tenant1 updates a public collection to tenant1 (public -> tenant1) Allow  Allow
User in tenant1 attempts to update a collection in tenant1 to public (tenant1 -> public) Allow  Allow

botanical added 15 commits March 9, 2026 11:43
@botanical
feat(stac): add policy enforcement point to all stac endpoints
d1a4e19
@botanical
feat: add unit tests for testing get_matching_scope_and_route
0fa61b8
@botanical
fix: update unit tests with docstrings, start working on integration …
51431cd 
…tests
@botanical
fix: add delete collections integration tests
a7f7bd1
@botanical
fix: add items integration tests
02246e5
@botanical
fix: test setup
23282e0
@botanical
fix: remove post item
6cf9939
@botanical
fix: item creation for tests
da1eb59
@botanical
fix: remove property setting on item, use copied object
802746b
@botanical
fix: add bulk item endpoint tests
84583c2
@botanical
fix: remove items and bulk items
732adc0
@botanical
fix: formatting, remove unused imports now
97ced8a
@botanical
fix: remove items and related tests in unit tests
7a87fba
@botanical
fix: update delete behavior to check stored tenant for source of truth
2760807
@botanical
fix: remove delete to handle in different pr
488e1fb
@botanical botanical changed the title feat(stac): add policy enforcement point to all stac endpoints feat(stac): add policy enforcement point to all create/update stac endpoints Mar 11, 2026
@botanical botanical marked this pull request as ready for review March 11, 2026 22:58
@botanical
Copy link
Member Author

botanical commented Mar 13, 2026

Something I want to note is that it's hard to achieve clear error messages to the user due to our cloudfront configuration which routes errors to 200 and the stac browser 😢 @smohiudd @anayeaye Is it possible for us to explore using amplify at this point? Or should I add guidance on certain errors users might occur with multi-tenant auth?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@botanical