copilot feedback changes and added logs and better return message

tech3371 · tech3371 · commit 57df8cf2da6b · 2026-03-06T08:48:27.000-07:00
diff --git a/sds_data_manager/lambda_code/SDSCode/api_lambdas/upload_api.py b/sds_data_manager/lambda_code/SDSCode/api_lambdas/upload_api.py
@@ -110,13 +110,27 @@ def lambda_handler(event, context):
     auth = request_ctx.get("authorizer", {})
     auth_ctx = auth.get("lambda", {})
     scope = auth_ctx.get("scope", "")
+    api_key = auth_ctx.get("apiKey", "unknown")
 
-    # Deny upload access for read-only scope
+    logger.info(f"Upload request received with scope: {scope}, api_key: {api_key}")
+
+    # Deny upload access for read scope
     if scope == "read":
+        logger.warning("Upload denied: read scope user attempted upload")
+        return {
+            "statusCode": 403,
+            "body": json.dumps(
+                "Upload access denied. Your API key has read permissions."
+            ),
+        }
+
+    # Check if scope is missing (might be caught by authorizer first)
+    if not scope:
+        logger.warning("Upload denied: no scope found in authorizer context")
         return {
             "statusCode": 403,
             "body": json.dumps(
-                "Upload access denied. Your API key has read-only permissions."
+                "Upload access denied. Your API key has read permissions."
             ),
         }
 
diff --git a/sds_data_manager/lambda_code/authorization/lambda_api_key_authorizer.py b/sds_data_manager/lambda_code/authorization/lambda_api_key_authorizer.py
@@ -1,20 +1,26 @@
 """Authorization for API Keys within the SDS."""
 
+import logging
+
 import boto3
 
+from sds_data_manager.lambda_code.authorization.manage_api_keys import VALID_SCOPES
+
+# Configure logging
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
 # Initialize DynamoDB resource
 # Specifically outside of the handler to be cached in the lambda execution environment
 dynamodb = boto3.resource("dynamodb")
 table = dynamodb.Table("imap-sdc-api-keys")
 
 
-def _is_authorized(api_key, scope, path, http_method):
+def _is_authorized(scope, path, http_method):
     """Check if the API key is authorized for the requested operation.
 
     Parameters
     ----------
-    api_key : str
-        The API key from the request
     scope : str
         The scope/permission level of the API key
     path : str
@@ -27,22 +33,27 @@ def _is_authorized(api_key, scope, path, http_method):
     bool
         True if authorized, False otherwise
     """
-    # Restrict write operations for read-only scope
+    logger.info(
+        f"Checking authorization - scope: {scope}, path: {path}, method: {http_method}"
+    )
+
+    # Restrict write operations for read scope
     if scope == "read" and http_method in ("PUT", "POST", "DELETE", "PATCH"):
+        logger.warning(
+            f"DENIED: read scope user attempted {http_method} operation on {path}"
+        )
         return False
 
-    # Restrict write operations (upload) for read-only scope
+    # Restrict write operations (upload) for read scope
     if scope == "read" and path.startswith("/api-key/upload"):
+        logger.warning(f"DENIED: read scope user attempted upload on {path}")
         return False
 
     # Check scope-based authorization for specific endpoints
-    if path.startswith("/ialirt-db-query") and scope not in (
-        "ialirt_db",
-        "full",
-        "ialirt_external_partner",
-        "ialirt_scientist",
-        "read",
-    ):
+    if path.startswith("/ialirt-db-query") and scope not in VALID_SCOPES:
+        logger.warning(
+            f"DENIED: scope '{scope}' not authorized for /ialirt-db-query endpoint"
+        )
         return False
 
     # Public download except for logs and packets.
@@ -55,8 +66,12 @@ def _is_authorized(api_key, scope, path, http_method):
         "ialirt_scientist",
         "read",
     ):
+        logger.warning(
+            f"DENIED: scope '{scope}' not authorized for I-ALiRT download endpoint"
+        )
         return False
 
+    logger.info(f"AUTHORIZED: API key with scope '{scope}' granted access to {path}")
     return True
 
 
@@ -65,23 +80,32 @@ def lambda_handler(event, context):
     api_key = event.get("headers", {}).get("x-api-key", None)
 
     if not api_key:
+        logger.warning("DENIED: No API key provided in request headers")
         return {"isAuthorized": False}
 
+    logger.info("API key received. Checking authorization...")
+
     # Retrieve metadata from DynamoDB
     try:
         metadata = table.get_item(Key={"api_key": api_key}).get("Item")
-    except Exception:
-        # Log? print(f"Error retrieving API key metadata: {e}")
+    except Exception as e:
+        logger.error(f"Error retrieving API key metadata from DynamoDB: {e}")
         return {"isAuthorized": False}
+
     if not metadata:
+        logger.warning("DENIED: API key not found in database")
         return {"isAuthorized": False}
 
     scope = metadata.get("scope", "")
     path = event.get("rawPath") or event.get("path", "")
     http_method = event.get("requestContext", {}).get("http", {}).get("method", "GET")
 
-    is_authorized = _is_authorized(api_key, scope, path, http_method)
+    logger.info(f"API key found with scope: {scope}")
+    logger.info(f"Request details - Path: {path}, Method: {http_method}")
+
+    is_authorized = _is_authorized(scope, path, http_method)
 
+    logger.info(f"Authorization successful for scope '{scope}'")
     return {
         "isAuthorized": is_authorized,
         "context": {
diff --git a/sds_data_manager/lambda_code/authorization/manage_api_keys.py b/sds_data_manager/lambda_code/authorization/manage_api_keys.py
@@ -24,6 +24,15 @@
 
 TABLE_NAME = "imap-sdc-api-keys"
 
+# Validate scope
+VALID_SCOPES = {
+    "full",
+    "ialirt_db",
+    "ialirt_external_partner",
+    "ialirt_scientist",
+    "read",
+}
+
 
 def get_table():
     """Get the DynamoDB table resource."""
@@ -120,16 +129,8 @@ def add_key(owner, email, scope="full"):
         - 'read': Read-only access
         Default is 'full'
     """
-    # Validate scope
-    valid_scopes = {
-        "full",
-        "read",
-        "ialirt_db",
-        "ialirt_external_partner",
-        "ialirt_scientist",
-    }
-    if scope not in valid_scopes:
-        valid_scopes_str = ", ".join(sorted(valid_scopes))
+    if scope not in VALID_SCOPES:
+        valid_scopes_str = ", ".join(sorted(VALID_SCOPES))
         print(f"Error: Invalid scope '{scope}'. Valid scopes are: {valid_scopes_str}")
         return
 
@@ -172,16 +173,8 @@ def update_permission(owner: str, email: str, scope: str):
         - Other specialized scopes (ialirt_db, ialirt_external_partner,
           ialirt_scientist)
     """
-    # Validate scope
-    valid_scopes = {
-        "full",
-        "read",
-        "ialirt_db",
-        "ialirt_external_partner",
-        "ialirt_scientist",
-    }
-    if scope not in valid_scopes:
-        valid_scopes_str = ", ".join(sorted(valid_scopes))
+    if scope not in VALID_SCOPES:
+        valid_scopes_str = ", ".join(sorted(VALID_SCOPES))
         print(f"Error: Invalid scope '{scope}'. Valid scopes are: {valid_scopes_str}")
         return
 
