Merge pull request #87 from linea-it/85-access-private-hips

85 access private hips

Author: glaubervila

backend/config/settings/production.py

@@ -79,6 +79,9 @@
 #     default=True,
 # )
 
+SESSION_COOKIE_DOMAIN  = ".linea.org.br"
+CSRF_COOKIE_DOMAIN = ".linea.org.br"
+
 # STATIC & MEDIA
 # ------------------------
 STORAGES = {

backend/config/urls.py

@@ -48,6 +48,8 @@
         CommonViews.environment_settings,
         name="environment_settings",
     ),
+    path("api/nginx_serve_protected_hips/", CommonViews.nginx_serve_protected_hips, name="protected_hips"),
+    
     path("api/teste/", CommonViews.teste, name="teste"),
     # DRF auth token
     path("api/auth-token/", obtain_auth_token),

backend/sky_viewer/common/api/views.py

@@ -5,7 +5,11 @@
 from rest_framework.decorators import permission_classes
 from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
+from django.contrib.auth.decorators import login_required
+from django.http import HttpResponse, HttpResponseForbidden
+from django.views.decorators.csrf import csrf_exempt
 
+import logging
 
 @api_view(["GET"])
 def teste(request):
@@ -41,3 +45,40 @@ def environment_settings(request):
         "build": "12345",
     }
     return Response(env_settings, status=status.HTTP_200_OK)
+
+
+@csrf_exempt
+def nginx_serve_protected_hips(request):
+    logger = logging.getLogger("django")
+    logger.info("-----------------------------------")
+    logger.info("nginx_serve_protected_hips_debug()")
+
+    data = {
+        'X-Original-URI': request.META.get('HTTP_X_ORIGINAL_URI'),
+        'Cookie': request.META.get('HTTP_COOKIE'),
+        'Path': request.path,
+        'Method': request.method,
+        'META': {k: v for k, v in request.META.items() if k.startswith('HTTP_')},
+    }
+
+    logger.debug(data)
+
+    original_uri = request.META.get('HTTP_X_ORIGINAL_URI')
+    if original_uri.endswith('/properties') or original_uri.endswith('/Moc.fits'):
+        logger.info("Request for properties, temporary always return 200.")
+        return HttpResponse({}, content_type="application/json", status=200)
+    
+    if not request.user.is_authenticated:
+        logger.warning("User is not authenticated, returning 403 Forbidden.")
+        return HttpResponseForbidden({"message":"User is not authenticated."}, content_type="application/json", status=403)
+    
+    logger.info(f"User is authenticated: {request.user.username}")
+
+    # Identifie release from the original URI
+    if original_uri.find('/lsst/dp02/') > -1:
+        # Check if the user has the required group membership for HIPS images
+        if not request.user.groups.filter(name='dp02').exists():
+            logger.warning(f"User {request.user.username} does not have access to DP02 HIPS images.")
+            return HttpResponseForbidden({"message":"User does not have access to DP02 HIPS images."}, content_type="application/json", status=403)
+    
+    return HttpResponse({}, content_type="application/json", status=200)

backend/sky_viewer/common/views.py

@@ -1,6 +1,7 @@
 from django.shortcuts import render
 import logging
 
+
 def saml2_template_failure(request, exception=None, status=403, **kwargs):
     """ Renders a simple template with an error message. """
     logger = logging.getLogger("djangosaml2")

compose/production/frontend/Dockerfile

@@ -9,6 +9,7 @@ ENV NODE_OPTIONS=--max_old_space_size=8192
 WORKDIR /app
 COPY ./frontend/package.json /app
 COPY ./frontend/yarn.lock /app
+COPY ./frontend/aladin-lite-3.7.0-beta.tgz /app
 RUN yarn --non-interactive --ignore-optional --network-timeout 500000
 
 FROM base AS builder

frontend/components/Aladin/index.js

@@ -110,32 +110,49 @@ export default class Aladin extends React.Component {
         fov: 0.5,
       })
 
-      // PRIVATE RELEASES
-      // ----------------------------------------------------------
-      if (Array.isArray(this.props.userGroups) && this.props.userGroups.includes('dp02')) {
-        // LSST DP0.2 IRG HIPS IMAGE
-        this.aladin.setImageSurvey(this.aladin.createImageSurvey(
-          "LSST_DP02_IRG_LIneA",
-          "LSST DP0.2 IRG at LIneA",
-          "https://datasets.linea.org.br/data/releases/lsst/dp02/images/hips/",
-          "equatorial",
-        ), { imgFormat: 'hips' })
-      }
-
-
-
       // PUBLIC RELEASES
       // ----------------------------------------------------------
       // DES DR2 IRG HIPS IMAGE
       // https://aladin.cds.unistra.fr/AladinLite/doc/API/#image-layers
       // https://aladin.cds.unistra.fr/AladinLite/doc/API/
-      this.aladin.setImageSurvey(this.aladin.createImageSurvey(
+      // this.aladin.setImageSurvey(this.aladin.createImageSurvey(
+      //   "DES_DR2_IRG_LIneA",
+      //   "DES DR2 IRG at LIneA",
+      //   "https://datasets.linea.org.br/data/releases/des/dr2/images/hips/",
+      //   "equatorial",
+      // ), { imgFormat: 'hips', requestCredentials: 'include', requestMode: 'cors' })
+
+      const des_dr2 = this.aladin.createImageSurvey(
         "DES_DR2_IRG_LIneA",
         "DES DR2 IRG at LIneA",
         "https://datasets.linea.org.br/data/releases/des/dr2/images/hips/",
         "equatorial",
-      ), { imgFormat: 'hips' })
+      )
+      this.aladin.setImageSurvey(des_dr2, { imgFormat: 'hips', requestCredentials: 'include', requestMode: 'cors' })
 
+
+      // Adiciona a imagem mas não seleciona como imagem principal
+      // this.aladin.addNewImageLayer(A.HiPS(
+      //   "https://datasets.linea.org.br/data/releases/des/dr2/images/hips/",
+      //   {
+      //     name: "DES DR2 IRG at LIneA",
+      //     imgFormat: 'jpg',
+      //     requestCredentials: 'include',
+      //     requestMode: 'cors'
+      //     // "DES DR2 IRG at LIneA",
+      //     // "equatorial",
+      //   }
+      // ))
+
+      // this.aladin.setImageSurvey(this.aladin.createImageSurvey(
+      //   "DES_DR2_IRG_LIneA",
+      //   "DES DR2 Teste Credentials",
+      //   "https://skyviewer-dev.linea.org.br/data/releases/des/dr2/images/hips/",
+      //   "equatorial",
+      // ), { imgFormat: 'hips', requestCredentials: 'include', requestMode: 'cors' })
+
+      //  PUBLIC CATALOGS
+      // ----------------------------------------------------------
       // DES DR2 Catalog HIPScat/HATS
       // https://aladin.cds.unistra.fr/AladinLite/doc/API/examples/catalog-hips-filter/
       // https://hipscat.cds.unistra.fr/HiPSCatService/I/345/gaia2/
@@ -147,7 +164,33 @@ export default class Aladin extends React.Component {
           color: '#33ff42',
           name: 'DES DR2',
         });
-      this.aladin.addCatalog(hips);
+      // this.aladin.addCatalog(hips);
+
+
+
+      // PRIVATE RELEASES
+      // ----------------------------------------------------------
+
+      // LSST DP0.2 IRG HIPS IMAGE
+      if (Array.isArray(this.props.userGroups) && this.props.userGroups.includes('dp02')) {
+        // "https://datasets.linea.org.br/data/releases/lsst/dp02/images/hips/",
+        // this.aladin.setImageSurvey(this.aladin.createImageSurvey(
+        //   "LSST_DP02_IRG_LIneA",
+        //   "LSST DP0.2 IRG at LIneA",
+        //   "https://skyviewer-dev.linea.org.br/data/releases/lsst/dp02/images/hips/",
+        //   "equatorial",
+        // ), { imgFormat: 'hips', requestCredentials: 'include', requestMode: 'cors' })
+        const lsst_dp02 = this.aladin.createImageSurvey(
+          "LSST_DP02_IRG_LIneA",
+          "LSST DP0.2 IRG at LIneA",
+          "https://skyviewer-dev.linea.org.br/data/releases/lsst/dp02/images/hips/",
+          "equatorial",
+        )
+        this.aladin.setImageSurvey(lsst_dp02, { imgFormat: 'hips', requestCredentials: 'include', requestMode: 'cors' })
+        console.log("LSST DP0.2 IRG HIPS IMAGE added")
+      }
+
+
       // console.log(this.aladin)
 
       // var hips = A.catalogHiPS(
@@ -159,20 +202,11 @@ export default class Aladin extends React.Component {
       //   });
       // this.aladin.addCatalog(hips);
 
-      {/* aladin.setImageSurvey(
-        aladin.createImageSurvey(
-          "DSS blue band",
-          "Color DSS blue HiPS",
-          "http://alasky.cds.unistra.fr/DSS/DSS2-blue-XJ-S/",
-          "equatorial",
-          9,
-          {imgFormat: 'fits'})
-        ); // setting a custom HiPS */}
-
       //   // // Cria um catalogo com um unico source
       //   // this.drawCatalog()
       //   // // Centraliza a imagem na posição
       //   // this.goToPosition(this.props.ra, this.props.dec)
+
     })
   }
 

frontend/package.json

@@ -17,7 +17,7 @@
     "@mui/icons-material": "^6.0.2",
     "@mui/material": "^6.0.2",
     "@mui/material-nextjs": "^6.0.2",
-    "aladin-lite": "^3.5.1-beta",
+    "aladin-lite": "/app/aladin-lite-3.7.0-beta.tgz",
     "axios": "^1.9.0",
     "next": "14.2.7",
     "nookies": "^2.5.2",

frontend/yarn.lock

@@ -614,6 +614,10 @@ ajv@^6.12.4:
     json-schema-traverse "^0.4.1"
     uri-js "^4.2.2"
 
+aladin-lite@/app/aladin-lite-3.7.0-beta.tgz:
+  version "3.7.0-beta"
+  resolved "/app/aladin-lite-3.7.0-beta.tgz#36cf9c942621a3b20b48cec20fca2ace4c71377b"
+
 aladin-lite@^3.5.1-beta:
   version "3.5.1-beta"
   resolved "https://registry.yarnpkg.com/aladin-lite/-/aladin-lite-3.5.1-beta.tgz#4dfc4e56aad8c35966279316c08ec69b986f9a39"

nginx-proxy.conf

@@ -6,6 +6,8 @@ upstream srvfrontend {
     server frontend:3000;
 }
 
+proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=auth_cache:10m inactive=5m use_temp_path=off;
+
 server {
     listen 80;
 
@@ -65,6 +67,38 @@ server {
         uwsgi_pass backend_srv;
     }
 
+    # Teste Private Hips Image
+    location /data/releases/des/dr2/images/hips/ {
+        auth_request /auth_hips;
+        alias /var/www/data/releases/des/dr2/images/hips/;
+
+        try_files $uri $uri/ /index.html;
+        autoindex off;
+    }
+
+    location = /auth_hips {
+        internal;
+
+        include uwsgi_params;
+        uwsgi_param HTTP_X_ORIGINAL_URI $request_uri;
+        uwsgi_param Cookie $http_cookie;
+
+
+        uwsgi_param SCRIPT_NAME "";
+        uwsgi_param PATH_INFO /api/nginx_serve_protected_hips_debug/;
+
+        uwsgi_pass backend_srv;
+
+        # Ativa cache do resultado da autenticação
+        proxy_cache auth_cache;
+        proxy_cache_valid 200 10s;
+        proxy_cache_valid 403 10s;
+        proxy_cache_valid 401 10s;
+
+        # Garante que erros inesperados não sejam cacheados
+        proxy_cache_valid any 1s;
+    }
+
     # location /media {
     #     proxy_pass $scheme://srvapi;
     #     # uwsgi_pass $scheme://srvapi$request_uri;