From d0f4c08bd5e160b8fc979c667b58cbb0ba080524 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 30 Nov 2022 11:16:28 +0000 Subject: [PATCH 01/12] Bump stac-fastapi-extensions from 2.4.1 to 2.4.3 Bumps [stac-fastapi-extensions](https://github.com/stac-utils/stac-fastapi) from 2.4.1 to 2.4.3. - [Release notes](https://github.com/stac-utils/stac-fastapi/releases) - [Changelog](https://github.com/stac-utils/stac-fastapi/blob/master/CHANGES.md) - [Commits](https://github.com/stac-utils/stac-fastapi/compare/2.4.1...2.4.3) --- updated-dependencies: - dependency-name: stac-fastapi-extensions dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- requirements-apps-api.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-apps-api.txt b/requirements-apps-api.txt index 799a607a..c8ebb387 100644 --- a/requirements-apps-api.txt +++ b/requirements-apps-api.txt @@ -1,6 +1,6 @@ mangum==0.16.0 pygeofilter==0.2.0 stac-fastapi.api==2.4.1 -stac-fastapi.extensions==2.4.1 +stac-fastapi.extensions==2.4.3 stac-fastapi.pgstac==2.3.0 stac-fastapi.types==2.4.1 From f81bf426cd7d72995587409897af3b5e66c58169 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 30 Nov 2022 11:16:33 +0000 Subject: [PATCH 02/12] Bump stac-fastapi-types from 2.4.1 to 2.4.3 Bumps [stac-fastapi-types](https://github.com/stac-utils/stac-fastapi) from 2.4.1 to 2.4.3. - [Release notes](https://github.com/stac-utils/stac-fastapi/releases) - [Changelog](https://github.com/stac-utils/stac-fastapi/blob/master/CHANGES.md) - [Commits](https://github.com/stac-utils/stac-fastapi/compare/2.4.1...2.4.3) --- updated-dependencies: - dependency-name: stac-fastapi-types dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- requirements-apps-api.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-apps-api.txt b/requirements-apps-api.txt index 799a607a..98102423 100644 --- a/requirements-apps-api.txt +++ b/requirements-apps-api.txt @@ -3,4 +3,4 @@ pygeofilter==0.2.0 stac-fastapi.api==2.4.1 stac-fastapi.extensions==2.4.1 stac-fastapi.pgstac==2.3.0 -stac-fastapi.types==2.4.1 +stac-fastapi.types==2.4.3 From 1d6437b69d16b5646ebe980369fcfde3b712ac9d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 30 Nov 2022 11:16:41 +0000 Subject: [PATCH 03/12] Bump stac-fastapi-api from 2.4.1 to 2.4.3 Bumps [stac-fastapi-api](https://github.com/stac-utils/stac-fastapi) from 2.4.1 to 2.4.3. - [Release notes](https://github.com/stac-utils/stac-fastapi/releases) - [Changelog](https://github.com/stac-utils/stac-fastapi/blob/master/CHANGES.md) - [Commits](https://github.com/stac-utils/stac-fastapi/compare/2.4.1...2.4.3) --- updated-dependencies: - dependency-name: stac-fastapi-api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- requirements-apps-api.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-apps-api.txt b/requirements-apps-api.txt index 799a607a..9cee6907 100644 --- a/requirements-apps-api.txt +++ b/requirements-apps-api.txt @@ -1,6 +1,6 @@ mangum==0.16.0 pygeofilter==0.2.0 -stac-fastapi.api==2.4.1 +stac-fastapi.api==2.4.3 stac-fastapi.extensions==2.4.1 stac-fastapi.pgstac==2.3.0 stac-fastapi.types==2.4.1 From 8166902a2399c0d06cfafa4ab57b613b5c224bb4 Mon Sep 17 00:00:00 2001 From: Jake Herrmann Date: Thu, 8 Dec 2022 10:14:28 -0900 Subject: [PATCH 04/12] bump pgstac version --- requirements-apps-api.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-apps-api.txt b/requirements-apps-api.txt index ba64fc4d..1ee080f0 100644 --- a/requirements-apps-api.txt +++ b/requirements-apps-api.txt @@ -2,5 +2,5 @@ mangum==0.16.0 pygeofilter==0.2.0 stac-fastapi.api==2.4.3 stac-fastapi.extensions==2.4.3 -stac-fastapi.pgstac==2.3.0 +stac-fastapi.pgstac==2.4.3 stac-fastapi.types==2.4.3 From 7bb84944eee49f94b1a49030fcacc1c144668c42 Mon Sep 17 00:00:00 2001 From: Jake Herrmann Date: Thu, 8 Dec 2022 10:16:56 -0900 Subject: [PATCH 05/12] remove pygeofilter pin --- requirements-apps-api.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/requirements-apps-api.txt b/requirements-apps-api.txt index 1ee080f0..bfbf2465 100644 --- a/requirements-apps-api.txt +++ b/requirements-apps-api.txt @@ -1,5 +1,4 @@ mangum==0.16.0 -pygeofilter==0.2.0 stac-fastapi.api==2.4.3 stac-fastapi.extensions==2.4.3 stac-fastapi.pgstac==2.4.3 From 778633ebd242f056c2f84795b7b11f9d55a8a3c4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Dec 2022 19:18:48 +0000 Subject: [PATCH 06/12] Bump mangum from 0.16.0 to 0.17.0 Bumps [mangum](https://github.com/jordaneremieff/mangum) from 0.16.0 to 0.17.0. - [Release notes](https://github.com/jordaneremieff/mangum/releases) - [Changelog](https://github.com/jordaneremieff/mangum/blob/main/CHANGELOG.md) - [Commits](https://github.com/jordaneremieff/mangum/compare/0.16.0...0.17.0) --- updated-dependencies: - dependency-name: mangum dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- requirements-apps-api.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-apps-api.txt b/requirements-apps-api.txt index bfbf2465..8591cc64 100644 --- a/requirements-apps-api.txt +++ b/requirements-apps-api.txt @@ -1,4 +1,4 @@ -mangum==0.16.0 +mangum==0.17.0 stac-fastapi.api==2.4.3 stac-fastapi.extensions==2.4.3 stac-fastapi.pgstac==2.4.3 From 31b7af4cac08ad638fe0be4637644860757df972 Mon Sep 17 00:00:00 2001 From: Jake Herrmann Date: Thu, 8 Dec 2022 15:34:22 -0900 Subject: [PATCH 07/12] disable transaction endpoints for public API --- Makefile | 1 + README.md | 10 +++++++--- apps/api/src/api.py | 13 ++++++++++++- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 8d5947e9..28eee611 100644 --- a/Makefile +++ b/Makefile @@ -52,6 +52,7 @@ pypgstac-load: run-api: POSTGRES_HOST_READER=${db_host} POSTGRES_HOST_WRITER=${db_host} POSTGRES_PORT=5432 \ POSTGRES_DBNAME=postgres POSTGRES_USER=postgres POSTGRES_PASS=${db_admin_password} \ + ENABLED_EXTENSIONS=${enabled_extensions} \ python -m stac_fastapi.pgstac.app test: diff --git a/README.md b/README.md index cb43c671..2d316b95 100644 --- a/README.md +++ b/README.md @@ -132,14 +132,18 @@ Run: make run-api db_host= db_admin_password= ``` +You can also append an `enabled_extensions=` argument, where `` is the list of extensions +that gets passed to the `pgstac` app via the `ENABLED_EXTENSIONS` environment variable, as described +in the docstring for the +[module](https://github.com/stac-utils/stac-fastapi/blob/master/stac_fastapi/pgstac/stac_fastapi/pgstac/app.py). + You should see something like `Uvicorn running on http://0.0.0.0:8000 (Press CTRL+C to quit)` in the output; you can query the API at that URL. You can confirm that the Transaction extension is enabled by opening the local API URL in a web browser and appending `/api.html` to open the Swagger UI. You should see various create/update/delete endpoints -under the "Transaction Extension" heading. You should be able to successfully query these endpoints via -the local API, but not via the publicly available API. (TODO: after removing those endpoints completely -from the public API, update this paragraph to reflect that they will no longer appear in the Swagger UI.) +under the "Transaction Extension" heading. These endpoints should not appear in the Swagger UI for the +publicly available API. ## Upgrading the database diff --git a/apps/api/src/api.py b/apps/api/src/api.py index a537b4b0..7ea4ae48 100644 --- a/apps/api/src/api.py +++ b/apps/api/src/api.py @@ -1 +1,12 @@ -from stac_fastapi.pgstac.app import handler # noqa: F401 +import os + +os.environ['ENABLED_EXTENSIONS'] = ','.join([ + 'query', + 'sort', + 'fields', + 'pagination', + 'context', + 'filter', +]) + +from stac_fastapi.pgstac.app import handler # noqa: F401, E402 From 4f4017dae291cf1a35b990c21c0f0a1ec8c40299 Mon Sep 17 00:00:00 2001 From: Jake Herrmann Date: Thu, 8 Dec 2022 15:37:15 -0900 Subject: [PATCH 08/12] update changelog --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a8543b1c..83fe121e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [0.3.1] +### Security +- Removed Transaction endpoints from the publicly available API, though create/update/delete permissions were already + restricted at the database layer. + ## [0.3.0] ### Added - Created a STAC item collection for the `glo-30-hand` dataset. From c72d93a3fa60d21ed38fec543d424f319eda3ee0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Dec 2022 11:11:49 +0000 Subject: [PATCH 09/12] Bump boto3 from 1.26.21 to 1.26.26 Bumps [boto3](https://github.com/boto/boto3) from 1.26.21 to 1.26.26. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.26.21...1.26.26) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- requirements-run-codebuild.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-run-codebuild.txt b/requirements-run-codebuild.txt index f576d493..e45f0782 100644 --- a/requirements-run-codebuild.txt +++ b/requirements-run-codebuild.txt @@ -1 +1 @@ -boto3==1.26.21 \ No newline at end of file +boto3==1.26.26 \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index 6a69addf..3baed650 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,7 +1,7 @@ -r requirements-apps-api.txt -r requirements-run-codebuild.txt ./lib/asf-stac-util/ -boto3==1.26.21 +boto3==1.26.26 cfn-lint==0.72.1 flake8==6.0.0 pypgstac[psycopg]==0.6.10 From 9bcad878b176fbc5cf2dafcd2c980310b5ece10b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Dec 2022 18:15:29 +0000 Subject: [PATCH 10/12] Bump cfn-lint from 0.72.1 to 0.72.2 Bumps [cfn-lint](https://github.com/aws-cloudformation/cfn-python-lint) from 0.72.1 to 0.72.2. - [Release notes](https://github.com/aws-cloudformation/cfn-python-lint/releases) - [Changelog](https://github.com/aws-cloudformation/cfn-lint/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws-cloudformation/cfn-python-lint/compare/v0.72.1...v0.72.2) --- updated-dependencies: - dependency-name: cfn-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 3baed650..dcd458b7 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,7 +2,7 @@ -r requirements-run-codebuild.txt ./lib/asf-stac-util/ boto3==1.26.26 -cfn-lint==0.72.1 +cfn-lint==0.72.2 flake8==6.0.0 pypgstac[psycopg]==0.6.10 pystac==1.6.1 From f1242d5ae95bfb63832171e50e0b8dadf56c005f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Dec 2022 18:30:43 +0000 Subject: [PATCH 11/12] Bump pypgstac[psycopg] from 0.6.10 to 0.6.11 Bumps [pypgstac[psycopg]](https://github.com/stac-utils/pgstac) from 0.6.10 to 0.6.11. - [Release notes](https://github.com/stac-utils/pgstac/releases) - [Changelog](https://github.com/stac-utils/pgstac/blob/main/CHANGELOG.md) - [Commits](https://github.com/stac-utils/pgstac/compare/v0.6.10...v0.6.11) --- updated-dependencies: - dependency-name: pypgstac[psycopg] dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index dcd458b7..0d9771f1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ boto3==1.26.26 cfn-lint==0.72.2 flake8==6.0.0 -pypgstac[psycopg]==0.6.10 +pypgstac[psycopg]==0.6.11 pystac==1.6.1 pytest==7.2.0 requests==2.28.1 From 9e4d856393d151e97f185c5006b0b1770c172cda Mon Sep 17 00:00:00 2001 From: Jake Herrmann Date: Fri, 9 Dec 2022 10:06:54 -0900 Subject: [PATCH 12/12] Remove Filter extension --- apps/api/src/api.py | 1 - 1 file changed, 1 deletion(-) diff --git a/apps/api/src/api.py b/apps/api/src/api.py index 7ea4ae48..47689894 100644 --- a/apps/api/src/api.py +++ b/apps/api/src/api.py @@ -6,7 +6,6 @@ 'fields', 'pagination', 'context', - 'filter', ]) from stac_fastapi.pgstac.app import handler # noqa: F401, E402