feat: retrieve tenant from collection for items and ingest endpoints

common/auth/tests/test_resource_extractors.py

@@ -7,6 +7,7 @@
 from veda_auth.resource_extractors import (
     STAC_COLLECTION_PUBLIC,
     STAC_COLLECTION_TEMPLATE,
+    STAC_ITEM_PUBLIC,
     STAC_ITEM_TEMPLATE,
     _extract_collection_resource_id_from_post_body,
     _extract_tenant_from_body,
@@ -174,6 +175,17 @@ async def test_get_item_with_tenant(self):
         result = await extract_stac_resource_id(request)
         assert result == STAC_ITEM_TEMPLATE.format("test-tenant")
 
+    @pytest.mark.asyncio
+    async def test_get_item_without_tenant_uses_public(self):
+        """Test extracting resource ID for GET item without tenant (defaults to public)"""
+        request = MagicMock(spec=Request)
+        request.url.path = "/collections/test-collection/items/test-item"
+        request.method = "GET"
+        request.state = MagicMock()
+
+        result = await extract_stac_resource_id(request)
+        assert result == STAC_ITEM_TEMPLATE.format("public")
+
     @pytest.mark.asyncio
     async def test_post_items_with_tenant(self):
         """Test extracting resource ID for POST items with tenant"""
@@ -196,6 +208,56 @@ async def test_post_bulk_items_with_tenant(self):
         result = await extract_stac_resource_id(request)
         assert result == STAC_COLLECTION_TEMPLATE.format("test-tenant")
 
+    @pytest.mark.asyncio
+    async def test_item_paths_use_collection_tenant_resolver_when_available(self):
+        """Item endpoints should use collection_tenant_resolver when configured on app state"""
+        resolver = AsyncMock(return_value="resolver-tenant")
+
+        def _build_request(path: str, method: str) -> Request:
+            request = MagicMock(spec=Request)
+            request.url.path = path
+            request.method = method
+            request.state = MagicMock()
+            app = MagicMock()
+            app.state.collection_tenant_resolver = resolver
+            request.app = app
+            return request
+
+        item_request = _build_request(
+            "/collections/test-collection/items/test-item", "GET"
+        )
+        item_result = await extract_stac_resource_id(item_request)
+        assert item_result == STAC_ITEM_TEMPLATE.format("resolver-tenant")
+
+        items_request = _build_request("/collections/test-collection/items", "POST")
+        items_result = await extract_stac_resource_id(items_request)
+        assert items_result == STAC_ITEM_TEMPLATE.format("resolver-tenant")
+
+    @pytest.mark.asyncio
+    async def test_collection_tenant_resolver_failure_falls_back_to_public(self):
+        """When collection_tenant_resolver fails, item requests fall back to public"""
+        resolver = AsyncMock(side_effect=Exception("resolver failed"))
+
+        def _build_request(path: str, method: str) -> Request:
+            request = MagicMock(spec=Request)
+            request.url.path = path
+            request.method = method
+            request.state = MagicMock()
+            app = MagicMock()
+            app.state.collection_tenant_resolver = resolver
+            request.app = app
+            return request
+
+        item_request = _build_request(
+            "/collections/test-collection/items/test-item", "GET"
+        )
+        item_result = await extract_stac_resource_id(item_request)
+        assert item_result == STAC_ITEM_PUBLIC
+
+        items_request = _build_request("/collections/test-collection/items", "POST")
+        items_result = await extract_stac_resource_id(items_request)
+        assert items_result == STAC_COLLECTION_PUBLIC
+
 
 class TestExtractIngestResourceId:
     """Test Ingest API resource ID extraction"""

common/auth/veda_auth/pep_middleware.py

@@ -11,7 +11,13 @@
     ResourceNotFoundError,
     TokenError,
 )
-from veda_auth.resource_extractors import COLLECTIONS_CREATE_PATH_RE
+from veda_auth.resource_extractors import (
+    COLLECTIONS_BULK_ITEMS_PATH_RE,
+    COLLECTIONS_CREATE_PATH_RE,
+    COLLECTIONS_ITEM_PATH_RE,
+    COLLECTIONS_ITEMS_PATH_RE,
+    COLLECTIONS_PATH_RE,
+)
 
 from starlette.middleware.base import BaseHTTPMiddleware
 from starlette.requests import Request
@@ -39,6 +45,23 @@ class ProtectedRoute:
     ProtectedRoute(path_re=COLLECTIONS_CREATE_PATH_RE, method="POST", scope="create"),
 )
 
+STAC_PROTECTED_ROUTES: Sequence[ProtectedRoute] = (
+    # Collections
+    ProtectedRoute(path_re=COLLECTIONS_CREATE_PATH_RE, method="POST", scope="create"),
+    ProtectedRoute(path_re=COLLECTIONS_PATH_RE, method="PUT", scope="update"),
+    ProtectedRoute(path_re=COLLECTIONS_PATH_RE, method="PATCH", scope="update"),
+    ProtectedRoute(path_re=COLLECTIONS_PATH_RE, method="DELETE", scope="delete"),
+    # Items
+    ProtectedRoute(path_re=COLLECTIONS_ITEMS_PATH_RE, method="POST", scope="create"),
+    ProtectedRoute(path_re=COLLECTIONS_ITEM_PATH_RE, method="PUT", scope="update"),
+    ProtectedRoute(path_re=COLLECTIONS_ITEM_PATH_RE, method="PATCH", scope="update"),
+    ProtectedRoute(path_re=COLLECTIONS_ITEM_PATH_RE, method="DELETE", scope="delete"),
+    # Bulk items
+    ProtectedRoute(
+        path_re=COLLECTIONS_BULK_ITEMS_PATH_RE, method="POST", scope="create"
+    ),
+)
+
 
 def pep_error_response(
     status_code: int,

common/auth/veda_auth/resource_extractors.py

@@ -10,7 +10,7 @@
 import logging
 import os
 import re
-from typing import Any, Dict, Optional
+from typing import Any, Awaitable, Callable, Dict, Optional
 
 from fastapi import HTTPException, Request
 
@@ -28,6 +28,8 @@
 COLLECTIONS_ITEMS_PATH_RE = r".*?/collections/([^/]+)/items$"
 COLLECTIONS_BULK_ITEMS_PATH_RE = r".*?/collections/([^/]+)/bulk_items$"
 
+CollectionTenantResolver = Callable[[Request, str], Awaitable[Optional[str]]]
+
 _COLLECTIONS_CREATE_PATH_PATTERN = re.compile(COLLECTIONS_CREATE_PATH_RE)
 _COLLECTIONS_PATH_PATTERN = re.compile(COLLECTIONS_PATH_RE)
 _COLLECTIONS_ITEM_PATH_PATTERN = re.compile(COLLECTIONS_ITEM_PATH_RE)
@@ -38,13 +40,46 @@
 def _stac_collection_resource_id(request: Request) -> str:
     """Return tenant-based or public STAC collection resource ID."""
     tenant = getattr(request.state, "tenant", None)
-    return STAC_COLLECTION_TEMPLATE.format(tenant) if tenant else STAC_COLLECTION_PUBLIC
+    if not isinstance(tenant, str) or not tenant:
+        return STAC_COLLECTION_PUBLIC
+    return STAC_COLLECTION_TEMPLATE.format(tenant)
 
 
 def _stac_item_resource_id(request: Request) -> str:
     """Return tenant-based or public STAC item resource ID."""
     tenant = getattr(request.state, "tenant", None)
-    return STAC_ITEM_TEMPLATE.format(tenant) if tenant else STAC_ITEM_PUBLIC
+    if not isinstance(tenant, str) or not tenant:
+        return STAC_ITEM_PUBLIC
+    return STAC_ITEM_TEMPLATE.format(tenant)
+
+
+def _get_collection_tenant_resolver(
+    request: Request,
+) -> Optional[CollectionTenantResolver]:
+    """Return optional collection-tenant resolver from app state if configured"""
+    app = getattr(request, "app", None)
+    if app is None:
+        return None
+    state = getattr(app, "state", None)
+    return getattr(state, "collection_tenant_resolver", None)
+
+
+async def _collection_tenant_for_item(
+    request: Request, collection_id: str
+) -> Optional[str]:
+    """Resolve collection tenant for item operations"""
+    resolver = _get_collection_tenant_resolver(request)
+    if not resolver:
+        return None
+    try:
+        return await resolver(request, collection_id)
+    except Exception as e:
+        logger.warning(
+            "Failed to resolve collection tenant for item ops %s: %s",
+            collection_id,
+            e,
+        )
+        return None
 
 
 def _extract_tenant_from_body(
@@ -87,15 +122,10 @@ async def _extract_collection_resource_id_from_post_body(
         return None
 
 
-async def extract_stac_resource_id(request: Request) -> Optional[str]:
-    """Extract resource ID for STAC API requests
-    Resource ID format matches Keycloak resource definitions (wildcard patterns):
-    - Collections: STAC_COLLECTION_TEMPLATE or STAC_COLLECTION_PUBLIC
-    - Items: STAC_ITEM_TEMPLATE or STAC_ITEM_PUBLIC
-    """
-    path = request.url.path
-    method = request.method
-
+async def _extract_collection_stac_resource_id(
+    request: Request, path: str, method: str
+) -> Optional[str]:
+    """Extract resource ID for collection endpoints, or None if not a collection path"""
     if _COLLECTIONS_CREATE_PATH_PATTERN.match(path) and method == "POST":
         return await _extract_collection_resource_id_from_post_body(request)
 
@@ -104,14 +134,63 @@ async def extract_stac_resource_id(request: Request) -> Optional[str]:
             return await _extract_collection_resource_id_from_post_body(request)
         return _stac_collection_resource_id(request)
 
+    return None
+
+
+async def _extract_item_stac_resource_id(
+    request: Request, path: str, method: str
+) -> Optional[str]:
+    """Extract resource ID for item endpoints, or None if not an item path"""
     if _COLLECTIONS_ITEM_PATH_PATTERN.match(path):
+        # For single item operations, prefer collection tenant when available
+        match = _COLLECTIONS_ITEM_PATH_PATTERN.match(path)
+        collection_id = match.group(1) if match else None
+        if collection_id:
+            tenant = await _collection_tenant_for_item(request, collection_id)
+            if tenant:
+                return STAC_ITEM_TEMPLATE.format(tenant)
         return _stac_item_resource_id(request)
 
-    if _COLLECTIONS_ITEMS_PATH_PATTERN.match(
-        path
-    ) or _COLLECTIONS_BULK_ITEMS_PATH_PATTERN.match(path):
+    if _COLLECTIONS_ITEMS_PATH_PATTERN.match(path):
+        # use collection tenant when available, otherwise collection/public
+        match = _COLLECTIONS_ITEMS_PATH_PATTERN.match(path)
+        collection_id = match.group(1) if match else None
+        if collection_id:
+            tenant = await _collection_tenant_for_item(request, collection_id)
+            if tenant:
+                return STAC_ITEM_TEMPLATE.format(tenant)
+        return _stac_collection_resource_id(request)
+
+    if _COLLECTIONS_BULK_ITEMS_PATH_PATTERN.match(path):
+        match = _COLLECTIONS_BULK_ITEMS_PATH_PATTERN.match(path)
+        collection_id = match.group(1) if match else None
+        if collection_id:
+            tenant = await _collection_tenant_for_item(request, collection_id)
+            if tenant:
+                return STAC_ITEM_TEMPLATE.format(tenant)
         return _stac_collection_resource_id(request)
 
+    return None
+
+
+async def extract_stac_resource_id(request: Request) -> Optional[str]:
+    """Extract resource ID for STAC API requests
+
+    Resource ID format matches Keycloak resource definitions (wildcard patterns):
+    - Collections: STAC_COLLECTION_TEMPLATE or STAC_COLLECTION_PUBLIC
+    - Items: STAC_ITEM_TEMPLATE or STAC_ITEM_PUBLIC
+    """
+    path = request.url.path
+    method = request.method
+
+    collection_id = await _extract_collection_stac_resource_id(request, path, method)
+    if collection_id is not None:
+        return collection_id
+
+    item_id = await _extract_item_stac_resource_id(request, path, method)
+    if item_id is not None:
+        return item_id
+
     if "/queryables" in path or "/search" in path:
         return None
 

stac_api/runtime/src/app.py

@@ -3,6 +3,7 @@
 """
 
 from contextlib import asynccontextmanager
+from typing import Optional
 
 from aws_lambda_powertools.metrics import MetricUnit
 from src.config import (
@@ -94,6 +95,25 @@ async def lifespan(app: FastAPI):
     ],
 )
 
+
+async def collection_tenant_resolver(
+    request: Request, collection_id: str
+) -> Optional[str]:
+    """Resolve a collection's tenant from the database for PEP"""
+    try:
+        from stac_fastapi.types.errors import NotFoundError
+
+        collection = await api.client.get_collection(collection_id, request=request)
+        tenant_field = api_settings.tenant_filter_field
+        return collection.get(tenant_field) or None
+    except NotFoundError:
+        return None
+    except Exception:
+        return None
+
+
+api.app.state.collection_tenant_resolver = collection_tenant_resolver
+
 if api_settings.openid_configuration_url and api_settings.enable_stac_auth_proxy:
     # Use stac-auth-proxy when authentication is enabled, which it will be for production envs
     app = configure_app(
@@ -142,6 +162,10 @@ async def lifespan(app: FastAPI):
     # Use standard FastAPI app when authentication is disabled
     app = api.app
 
+# Ensure the proxy app also exposes the resolver to PEP
+if hasattr(api.app.state, "collection_tenant_resolver"):
+    app.state.collection_tenant_resolver = api.app.state.collection_tenant_resolver
+
 
 def _get_keycloak_pdp_client():
     """Build Keycloak PDP client for PEP from UMA resource server credentials stored in AWS Secrets Manager."""
@@ -179,13 +203,14 @@ def _get_keycloak_pdp_client():
         "PEP middleware enabled, secret_name=%s",
         api_settings.keycloak_uma_resource_server_client_secret_name,
     )
-    from veda_auth.pep_middleware import PEPMiddleware
+    from veda_auth.pep_middleware import STAC_PROTECTED_ROUTES, PEPMiddleware
     from veda_auth.resource_extractors import extract_stac_resource_id
 
     app.add_middleware(
         PEPMiddleware,
         pdp_client=_get_keycloak_pdp_client,
         resource_extractor=extract_stac_resource_id,
+        protected_routes=STAC_PROTECTED_ROUTES,
     )
 else:
     logger.info(