update stac, weaver, magpie, twitcher, cowbird - security fixes for EOL Python and http-related libraires

CHANGES.md

@@ -15,7 +15,37 @@
 [Unreleased](https://github.com/bird-house/birdhouse-deploy/tree/master) (latest)
 ------------------------------------------------------------------------------------------------------------------
 
-[//]: # (list changes here, using '-' for each new entry, remove this when items are added)
+## Changes
+
+- STAC API: Security update and minor OpenAPI version reporting fixes
+  using version [2.2.0](https://github.com/crim-ca/stac-app/releases/tag/2.2.0)
+  (relates to [crim-ca/stac-app#65](https://github.com/crim-ca/stac-app/pull/65)
+  and [crim-ca/stac-app#69](https://github.com/crim-ca/stac-app/pull/69)).
+
+- Weaver: Security update using version [6.8.1](https://github.com/crim-ca/weaver/releases/tag/6.8.1)
+  (relates to [crim-ca/weaver#868](https://github.com/crim-ca/weaver/pull/868)
+  and [crim-ca/weaver#869](https://github.com/crim-ca/weaver/pull/869)).
+
+- Cowbird: Security update using version [2.6.0](https://github.com/Ouranosinc/cowbird/releases/tag/2.6.0)
+  (relates to [Ouranosinc/cowbird#98](https://github.com/Ouranosinc/cowbird/pull/98)).
+
+- Magpie: Security update using version [4.3.1](https://github.com/Ouranosinc/Magpie/releases/tag/4.3.1)
+  (relates to [Ouranosinc/Magpie#640](https://github.com/Ouranosinc/Magpie/pull/640)
+  and [Ouranosinc/Magpie#642](https://github.com/Ouranosinc/Magpie/pull/642)).
+
+- Twitcher: Security update using version [0.11.0](https://github.com/bird-house/twitcher/releases/tag/v0.11.0)
+  (relates to [bird-house/twitcher#143](https://github.com/bird-house/twitcher/pull/143),
+  [bird-house/twitcher#145](https://github.com/bird-house/twitcher/pull/145),
+  [bird-house/twitcher#146](https://github.com/bird-house/twitcher/pull/146) and
+  [bird-house/twitcher#148](https://github.com/bird-house/twitcher/pull/148)).
+
+- Weaver: Update `post-docker-compose-up` script.
+  - Handle multiple Magpie cookies in response.
+    This can happen depending on specific internal HTTP libraries versions of the services.
+    To retain backward/forward compatibility, all cookies returned from Magpie are chained in following `curl` commands.
+  - Use birdhouse `log` utility to report operations produced by the script rather than custom "echo level".
+
+- Birdhouse: Allow `log <LEVEL> -n ...` to generate log outputs without newline.
 
 [2.20.2](https://github.com/bird-house/birdhouse-deploy/tree/2.20.2) (2026-01-05)
 ------------------------------------------------------------------------------------------------------------------

birdhouse/components/cowbird/default.env

@@ -29,7 +29,7 @@ VARS="$VARS $EXTRA_VARS"
 # Cowbird Configuration
 # =====================
 
-export COWBIRD_VERSION="2.5.2"
+export COWBIRD_VERSION="2.6.0"
 export COWBIRD_DOCKER=pavics/cowbird
 export COWBIRD_IMAGE='${COWBIRD_DOCKER}:${COWBIRD_VERSION}'
 export COWBIRD_IMAGE_API='${COWBIRD_IMAGE}-webservice'

birdhouse/components/magpie/default.env

@@ -5,7 +5,7 @@
 # are applied and must be added to the list of DELAYED_EVAL.
 
 # Tag version that will be used to update Magpie API, Magpie CLI, and matching Twitcher with Magpie Adapter
-export MAGPIE_VERSION=4.2.0
+export MAGPIE_VERSION=4.3.1
 export MAGPIE_IMAGE='pavics/magpie:${MAGPIE_VERSION}'
 export MAGPIE_IMAGE_URI='registry.hub.docker.com/${MAGPIE_IMAGE}'
 

birdhouse/components/stac/default.env

@@ -17,8 +17,8 @@ export STAC_PGPASSWORD='${BIRDHOUSE_POSTGRES_PASSWORD}'
 #   crim-ca/stac-app:1.0.0 uses STAC-fastapi version 3.0.3 with pgstac 0.6.10 (techically >=0.7,<0.8, but 0.6 works)
 #   crim-ca/stac-app:1.1.0 uses STAC-fastapi version 5.2.0 with pgstac 0.9.6 (techically >=0.8,<0.10)
 #   crim-ca/stac-app:2.0.1 uses STAC-fastapi version 6.0.0 with pgstac 0.9.6+ (techically >=0.8,<0.10)
-export STAC_VERSION=6.0.0-crim-2.1.0
-export STAC_IMAGE='ghcr.io/crim-ca/stac-app:2.1.0'
+export STAC_VERSION=6.0.0-crim-2.2.0
+export STAC_IMAGE='ghcr.io/crim-ca/stac-app:2.2.0'
 export STAC_IMAGE_URI='${STAC_IMAGE}'
 export STAC_LICENSE_URL='https://raw.githubusercontent.com/crim-ca/stac-app/refs/heads/main/LICENSE'
 export STAC_OPENAPI_SPEC_PATH='/api'

birdhouse/components/twitcher/default.env

@@ -5,7 +5,7 @@
 #   This is because Twitcher must be built with the MagpieAdapter component.
 #   (https://github.com/Ouranosinc/Magpie/blob/master/Dockerfile.adapter)
 #   The following reference is only indicative for the 'service-config.json'.
-export TWITCHER_VERSION=0.10.0
+export TWITCHER_VERSION=0.11.1
 export TWITCHER_RELEASE='${TWITCHER_VERSION}-magpie-${MAGPIE_VERSION}'
 export TWITCHER_DOCKER=pavics/twitcher
 export TWITCHER_IMAGE='${TWITCHER_DOCKER}:magpie-${MAGPIE_VERSION}'

birdhouse/components/weaver/default.env

@@ -55,7 +55,7 @@ OPTIONAL_VARS="
 export WEAVER_CONFIG=HYBRID
 
 # default release version that will be used to fetch docker images (API mananger & celery workers services)
-export WEAVER_VERSION=6.6.2
+export WEAVER_VERSION=6.8.1
 export WEAVER_DOCKER=pavics/weaver
 export WEAVER_IMAGE='${WEAVER_DOCKER}:${WEAVER_VERSION}'
 export WEAVER_MANAGER_IMAGE='${WEAVER_IMAGE}-manager'

birdhouse/components/weaver/post-docker-compose-up

@@ -67,20 +67,12 @@ reset_state() {
 }
 
 # logging
-if [ -n "$TERM" ]; then
-    YELLOW=${YELLOW:-$(tput setaf 3)}
-    RED=${RED:-$(tput setaf 1)}
-    NORMAL=${NORMAL:-$(tput sgr0)}
-else
-    YELLOW=""
-    RED=""
-    NORMAL=""
+if ! command -v log >/dev/null 2>&1; then
+  . "${COMPOSE_DIR}/scripts/logging.include.sh"
 fi
 PREFIX="[Weaver] "
-ERROR="${PREFIX}${RED}ERROR${NORMAL}: "
-WARN="${PREFIX}${YELLOW}WARNING${NORMAL}: "
 
-echo "${PREFIX}Running: $0"
+log INFO "${PREFIX}Running: $0"
 
 MAGPIE_URL="${BIRDHOUSE_PROXY_SCHEME}://${BIRDHOUSE_FQDN_PUBLIC}/magpie"
 WEAVER_URL="${BIRDHOUSE_PROXY_SCHEME}://${BIRDHOUSE_FQDN_PUBLIC}${TWITCHER_PROTECTED_PATH}/${WEAVER_MANAGER_NAME}"
@@ -92,7 +84,7 @@ WEAVER_WPS_PROVIDERS=$(echo $(echo "${WEAVER_WPS_PROVIDERS}" | tr ',' ' '))
 REQUEST_TIMEOUT=2
 
 if [ -z "${WEAVER_WPS_PROVIDERS}" ]; then
-    echo "${WARN}Nothing specified in WEAVER_WPS_PROVIDERS to register WPS remote providers."
+    log WARN "${PREFIX}Nothing specified in WEAVER_WPS_PROVIDERS to register WPS remote providers."
     reset_state
     exit 0
 fi
@@ -105,10 +97,10 @@ if [ "${WEAVER_WPS_PROVIDERS_RETRY_AFTER}" -lt 0 ]; then
     WEAVER_WPS_PROVIDERS_RETRY_AFTER=0
 fi
 
-echo "${PREFIX}Requested Weaver WPS providers: [${WEAVER_WPS_PROVIDERS}]"
-echo "${PREFIX}Will retry requests at most for ${WEAVER_WPS_PROVIDERS_MAX_TIME}s"
-echo "${PREFIX}Will retry registration of each provider up to ${WEAVER_WPS_PROVIDERS_RETRY_COUNT} times"
-echo "${PREFIX}Will retry registration of each provider with ${WEAVER_WPS_PROVIDERS_RETRY_AFTER}s intervals"
+log INFO "${PREFIX}Requested Weaver WPS providers: [${WEAVER_WPS_PROVIDERS}]"
+log INFO "${PREFIX}Will retry requests at most for ${WEAVER_WPS_PROVIDERS_MAX_TIME}s"
+log INFO "${PREFIX}Will retry registration of each provider up to ${WEAVER_WPS_PROVIDERS_RETRY_COUNT} times"
+log INFO "${PREFIX}Will retry registration of each provider with ${WEAVER_WPS_PROVIDERS_RETRY_AFTER}s intervals"
 
 if [ -z "$WEAVER_CURL_IMAGE" ]; then
     WEAVER_CURL_IMAGE="curlimages/curl:7.87.0"
@@ -132,7 +124,7 @@ start_time="$(date -u +%s)"
 # Magpie Authentication
 
 # registration of WPS providers require authenticated access, obtain login from Magpie
-printf "%s" "${PREFIX}Wait for response from Magpie to login [${MAGPIE_URL}]."
+log INFO -n "${PREFIX}Wait for response from Magpie to login [${MAGPIE_URL}]."
 while true; do
     # login (output null + cookie-jar '-' redirects output cookie to variable)
     cookie_jar=$( \
@@ -146,23 +138,31 @@ while true; do
              "${MAGPIE_URL}/signin" \
     )
     # trim excess stuff in cookie_jar pseudo-file (comments, empty lines)
-    # also trim duplicate cookies ".<host>" and "<host>" returned by Magpie behind proxy
-    cookie_jar=$(echo "${cookie_jar}" | grep -v '# ' | grep -v -e '^$' | grep -v '_\.')
-    # validate exactly 1 cookie retrieved (empty if bad-auth or invalid endpoint)
-    if [ ! -z "${cookie_jar}" ] && [ "$(echo "${cookie_jar}" | wc -l)" -eq 1 ]; then
-        fields="$(echo "${cookie_jar}" | wc -w)"
-        cookie_name="$(echo "${cookie_jar}" | cut -f $(( fields - 1 )) )"
-        cookie_value="$(echo "${cookie_jar}" | cut -f "${fields}")"
-        cookie="${cookie_name}=${cookie_value}"
+    cookie_jar=$(echo "${cookie_jar}" | grep -v '# ' | grep -v -e '^$')
+    # validate that cookie(s) are retrieved (empty if bad-auth or invalid endpoint)
+    # there can be "duplicate" cookies ".<host>" and "<host>" returned by Magpie behind proxy
+    if [ -n "${cookie_jar}" ] && [ "$(echo "${cookie_jar}" | wc -l)" -ge 1 ]; then
+        cookies=$(
+            printf "%s\n" "$cookie_jar" | while IFS= read -r cookie_line; do
+                fields=$(echo "$cookie_line" | wc -w)
+                if [ "${fields}" -lt 2 ]; then
+                    continue
+                fi
+                cookie_name=$(echo "$cookie_line" | cut -f $(( fields - 1 )))
+                cookie_value=$(echo "$cookie_line" | cut -f "$fields")
+                printf "%s=%s; " "$cookie_name" "$cookie_value"
+            done
+        )
         printf " %s\n" "OK!"
         break;
     fi
+
     # interrupt if max time reached
     next_time=$(date -u +%s)
     delta_time=$(( next_time - start_time ))
     if [ ${delta_time} -ge "${WEAVER_WPS_PROVIDERS_MAX_TIME}" ]; then
         msg="Failed to register all providers specified in WEAVER_WPS_PROVIDERS. Magpie is not responding."
-        printf "\n%s\n" "${ERROR}Timeout (${WEAVER_WPS_PROVIDERS_MAX_TIME}s)! ${msg}"
+        log ERROR "${PREFIX}Timeout (${WEAVER_WPS_PROVIDERS_MAX_TIME}s)! ${msg}"
         reset_state
         exit 11
     fi
@@ -171,19 +171,19 @@ while true; do
     printf "."
 done
 
-if [ -z "${cookie}" ]; then
+if [ -z "${cookies}" ]; then
     echo "${ERROR}Failed to retrieve authentication token from Magpie for Weaver WPS providers registration."
     reset_state
     exit 12
 fi
 
 # validate that Magpie token retrieved is adequate
-printf "%s" "${PREFIX}Validate Magpie token..."
+log INFO -n "${PREFIX}Validate Magpie token..."
 resp=$( \
     curl_cmd --insecure --silent --location \
          -m ${REQUEST_TIMEOUT} \
          -w "\n%{http_code}" \
-         -b "${cookie}" \
+         -b "${cookies}" \
          -H "Accept: application/json" \
          -X GET \
          "${MAGPIE_URL}/session" \
@@ -196,7 +196,7 @@ admin=$(echo "${body}" | grep -c '"administrators"')
 if [ ${ret} -eq 0 ] && [ "${code}" -eq 200 ] && [ "${auth}" -eq 1 ] && [ "${admin}" -eq 1 ]; then
     printf " %s\n" "OK!"
 else
-    printf "\n%s\n" "${ERROR}Failed administrative validation of Magpie token for Weaver WPS providers registration."
+    log ERROR "${PREFIX}Failed administrative validation of Magpie token for Weaver WPS providers registration."
     reset_state
     exit 13
 fi
@@ -205,13 +205,13 @@ fi
 # Weaver WPS Providers
 
 # validate that Weaver is ready to receive requests
-printf "%s" "${PREFIX}Wait for response from Weaver [${WEAVER_URL}]."
+log INFO -n "${PREFIX}Wait for response from Weaver [${WEAVER_URL}]."
 while true; do
     resp=$( \
         curl_cmd --insecure --silent --location \
              -m ${REQUEST_TIMEOUT} \
              -w "\n%{http_code}" \
-             -b "${cookie}" \
+             -b "${cookies}" \
              -H "Accept: application/json" \
              -X GET \
              "${WEAVER_URL}/" \
@@ -229,7 +229,7 @@ while true; do
     delta_time=$(( next_time - start_time ))
     if [ ${delta_time} -ge "${WEAVER_WPS_PROVIDERS_MAX_TIME}" ]; then
         msg="Failed to register all providers specified in WEAVER_WPS_PROVIDERS. Weaver is not responding."
-        printf "\n%s\n" "${ERROR}Timeout (${WEAVER_WPS_PROVIDERS_MAX_TIME}s)! ${msg}"
+        log ERROR "${PREFIX}Timeout (${WEAVER_WPS_PROVIDERS_MAX_TIME}s)! ${msg}"
         reset_state
         exit 21
     fi
@@ -239,7 +239,7 @@ while true; do
 done
 
 # move on to actual registration of WPS providers
-echo "${PREFIX}Using URL: [${WEAVER_URL}]"
+log INFO "${PREFIX}Using URL: [${WEAVER_URL}]"
 start_time="$(date -u +%s)"
 ret=1
 for prov in ${WEAVER_WPS_PROVIDERS}; do
@@ -250,22 +250,22 @@ for prov in ${WEAVER_WPS_PROVIDERS}; do
     prov_cap="${prov_url}?service=WPS&request=GetCapabilities"
 
     # wait for WPS provider to respond
-    printf "%s" "${PREFIX}Wait for response from remote WPS provider [${prov}] on [${prov_url}]."
+    log INFO "${PREFIX}Wait for response from remote WPS provider [${prov}] on [${prov_url}]."
     while true; do
         # request the URL and obtain the body+http code, then split them for verification
         resp=$( \
             curl_cmd --insecure --silent --location \
                  -m ${REQUEST_TIMEOUT} \
                  -w "\n%{http_code}" \
-                 -b "${cookie}" \
+                 -b "${cookies}" \
                  "${prov_cap}"
         )
         ret=$?   # in case proxy not up yet to receive any request
         code=$(echo "${resp}" | tail -n -1)
         body=$(echo "${resp}" | head -n -1)
         caps=$(echo "${body}" | grep -c "wps:Capabilities")
         if [ ${ret} -eq 0 ] && [ "${code}" -eq 200 ] && [ "${caps}" -ne 0 ]; then
-            printf "\n%s\n" "${PREFIX}Got valid response from remote WPS provider [${prov}]."
+            log INFO "${PREFIX}Got response from endpoint of remote WPS provider [${prov}]."
             break;
         fi
 
@@ -274,7 +274,7 @@ for prov in ${WEAVER_WPS_PROVIDERS}; do
         delta_time=$(( next_time - start_time ))
         if [ ${delta_time} -ge "${WEAVER_WPS_PROVIDERS_MAX_TIME}" ]; then
             msg="Failed to register all providers specified in WEAVER_WPS_PROVIDERS: [${prov}] is not responding."
-            printf "\n%s\n" "${ERROR}Timeout (${WEAVER_WPS_PROVIDERS_MAX_TIME}s)! ${msg}"
+            log ERROR "${PREFIX}Timeout (${WEAVER_WPS_PROVIDERS_MAX_TIME}s)! ${msg}"
             reset_state
             exit 22
         fi
@@ -291,38 +291,42 @@ for prov in ${WEAVER_WPS_PROVIDERS}; do
           retry_msg=" (retry: ${retry}/${total})"
         fi
         # unregister in case of multiple up/down to regenerate from scratch, don't care if NotFound returned
-        echo "${PREFIX}Unregistering any remote WPS provider matching [${prov}]${retry_msg}."
+        log INFO -n "${PREFIX}Unregistering any remote WPS provider matching [${prov}]${retry_msg}... "
         curl_cmd --insecure --silent --location \
              -m ${REQUEST_TIMEOUT} \
-             -w "${PREFIX}Delete [${prov}] response: %{http_code}${retry_msg}" -o /dev/null \
-             -b "${cookie}" \
+             -w "=> Delete response: %{http_code}\n" -o /dev/null \
+             -b "${cookies}" \
              -X DELETE \
              "${WEAVER_URL}/providers/${prov}"
 
         # register the new provider and validate
-        printf "\n%s" "${PREFIX}Registering remote WPS provider [${prov}] on [${prov_url}]${retry_msg}... "
+        payload="{\"id\": \"${prov}\", \"url\": \"${prov_url}\"}"
+        log DEBUG "${PREFIX}Registration payload: ${payload}"
+        log DEBUG "${PREFIX}Registration cookies: ${cookies}"
+        log INFO -n "${PREFIX}Registering remote WPS provider [${prov}] on [${prov_url}]${retry_msg}... "
         resp=$( \
             curl_cmd --insecure --silent --location \
                  -m ${REQUEST_TIMEOUT} \
-                 -w "\n%{http_code}" \
-                 -b "${cookie}" \
+                 -w "\n%{http_code}\n" \
+                 -b "${cookies}" \
                  -H "Content-Type: application/json" \
                  -X POST \
-                 -d "{\"id\": \"${prov}\", \"url\": \"${prov_url}\"}" \
+                 -d "${payload}" \
                  "${WEAVER_URL}/providers" \
         )
         ret=$?
         code=$(echo "${resp}" | tail -n -1)
         body=$(echo "${resp}" | head -n -1)
         if [ ${ret} -ne 0 ] || [ "${code}" -ne 201 ]; then
-            printf "\n%s\n" "${WARN}Failed registration of remote WPS provider [${prov}] on [${prov_url}]${retry_msg}."
-            printf "Error:\n%s\n" "${body}"
+            print "\n"
+            log WARN "${PREFIX}Failed registration of remote WPS provider [${prov}] on [${prov_url}]${retry_msg}."
+            log WARN "${PREFIX}Error response content:\n${body}"
             if [ ${retry} -ge ${total} ]; then
               echo "${ERROR}Maximum retry attempts ${total} reached for WPS provider [${prov}]. Aborting."
               reset_state
               exit 23
             fi
-            echo "${WARN}Will retry after ${WEAVER_WPS_PROVIDERS_RETRY_AFTER}s..."
+            log WARN "${PREFIX}Will retry after ${WEAVER_WPS_PROVIDERS_RETRY_AFTER}s..."
             sleep ${WEAVER_WPS_PROVIDERS_RETRY_AFTER}
             retry=$((retry+1))
         else
@@ -331,21 +335,21 @@ for prov in ${WEAVER_WPS_PROVIDERS}; do
         fi
     done
 done
-echo "${PREFIX}All Weaver remote WPS providers registered successfully!"
+log INFO "${PREFIX}All Weaver remote WPS providers registered successfully!"
 
 if [ x"${WEAVER_UNREGISTER_DROPPED_PROVIDERS}" = x"True" ]; then
     # Get all registered providers whether they are working or not
     all_providers_resp=$( \
         curl_cmd --insecure --silent --location \
             -m ${REQUEST_TIMEOUT} \
-            -b "${cookie}" \
+            -b "${cookies}" \
             "${WEAVER_URL}/providers?check=false&detail=false" \
     )
     # Get all registered working providers
     working_providers_resp=$( \
         curl_cmd --insecure --silent --location \
             -m ${REQUEST_TIMEOUT} \
-            -b "${cookie}" \
+            -b "${cookies}" \
             "${WEAVER_URL}/providers?check=true&detail=false" \
     )
     working_providers=$(echo "$working_providers_resp" | tr '\n' ' ' | \
@@ -355,17 +359,17 @@ if [ x"${WEAVER_UNREGISTER_DROPPED_PROVIDERS}" = x"True" ]; then
         if echo " ${WEAVER_WPS_PROVIDERS} " | grep -qv "[[:space:]]${prov}[[:space:]]" && \
            echo " ${working_providers} " | grep -qv "[[:space:]]${prov}[[:space:]]"; then
             # unregister provider that is no longer specified in WEAVER_WPS_PROVIDERS and is no longer working
-            echo "${PREFIX}Unregistering the remote WPS provider matching [${prov}] not in WEAVER_WPS_PROVIDERS."
+            log INFO "${PREFIX}Unregistering the remote WPS provider matching [${prov}] not in WEAVER_WPS_PROVIDERS."
             curl_cmd --insecure --silent --location \
                  -m ${REQUEST_TIMEOUT} \
-                 -b "${cookie}" \
+                 -b "${cookies}" \
                  -X DELETE \
                  "${WEAVER_URL}/providers/${prov}"
             fi
     done
 fi
 
-echo "${PREFIX}Starting Weaver WebApp/Worker Celery tasks validation..."
+log INFO "${PREFIX}Starting Weaver WebApp/Worker Celery tasks validation..."
 CUR_SCRIPT_DIR="$(dirname "$(realpath "$0")")"
 BIRDHOUSE_COMPOSE="${BIRDHOUSE_COMPOSE:-"$(realpath "${CUR_SCRIPT_DIR}/../../birdhouse-compose.sh")"}"
 BIRDHOUSE_LOG_DIR="${BIRDHOUSE_LOG_DIR:-/tmp/birdhouse-compose}"
@@ -379,10 +383,10 @@ ${BIRDHOUSE_COMPOSE} exec weaver-worker bash "${CELERY_HEALTHCHECK}" | tee "${BI
 ret_worker=$?
 out_worker=$(cat "${BIRDHOUSE_LOG_DIR}/weaver-worker.log" | tail -n 1 | grep -c "ERROR") || true
 if [ ${ret_weaver} -ne 0 ] || [ ${ret_worker} -ne 0 ] || [ "${out_weaver}" -ne 0 ] || [ "${out_worker}" -ne 0 ]; then
-  echo "${PREFIX}Weaver WebApp and/or Worker Celery tasks were not ready. Restarting both..."
+  log INFO "${PREFIX}Weaver WebApp and/or Worker Celery tasks were not ready. Restarting both..."
   ${BIRDHOUSE_COMPOSE} restart weaver weaver-worker
 else
-  echo "${PREFIX}Weaver WebApp and/or Worker Celery tasks are both ready."
+  log INFO "${PREFIX}Weaver WebApp and/or Worker Celery tasks are both ready."
 fi
 
 reset_state