Skip to content

ENH: locking down read access on API key#1158

Merged
tech3371 merged 6 commits intoIMAP-Science-Operations-Center:devfrom
tech3371:lock_down_read_access
Mar 10, 2026
Merged

ENH: locking down read access on API key#1158
tech3371 merged 6 commits intoIMAP-Science-Operations-Center:devfrom
tech3371:lock_down_read_access

Conversation

@tech3371
Copy link
Contributor

@tech3371 tech3371 commented Mar 5, 2026
edited
Loading

Change Summary

closes #1163

Overview

Need to lock down API read access given the amount of API requests coming our way.

File changes

Minor refactoring and added checks for read access for upload API. Others are ok.

Testing

@tech3371 tech3371 requested review from Copilot and laspsandoval March 5, 2026 22:21
@tech3371 tech3371 self-assigned this Mar 5, 2026
@tech3371 tech3371 added this to IMAP Mar 5, 2026
@tech3371 tech3371 added bug Something isn't working enhancement New feature or request labels Mar 5, 2026
Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a new read API key scope intended to allow read access while preventing uploads and other write-like operations, addressing increased API traffic by tightening permissions around sensitive endpoints.

Changes:

  • Refactors the API key authorizer to centralize scope/path/method authorization logic and adds explicit restrictions for read scope.
  • Adds read scope validation/printing to the key management script and documents scope options in the README.
  • Enforces upload denial for read scope in the upload lambda and updates DynamoDB-based authorization tests accordingly.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
tests/infrastructure/test_api_key_dynamodb.py Updates scope restriction tests to validate the new read behavior (including write/upload denial).
sds_data_manager/lambda_code/authorization/manage_api_keys.py Adds scope documentation + validation for add_key / update_permission and prints scope after changes.
sds_data_manager/lambda_code/authorization/lambda_api_key_authorizer.py Refactors authorization into _is_authorized and adds method/path-based restrictions for read scope.
sds_data_manager/lambda_code/SDSCode/api_lambdas/upload_api.py Denies upload signed-URL generation when authorizer scope is read.
sds_data_manager/lambda_code/IAlirtCode/ialirt_data_query_api.py Treats read as “full read” for HIT field filtering via READ_ONLY_SCOPES.
README.md Documents scope options and updates CLI usage examples to include scope.
Comments suppressed due to low confidence (1)

sds_data_manager/lambda_code/authorization/manage_api_keys.py:203

  • In update_permission, the variable name key is reused to hold the metadata dict (keys[matches[0]]), which is easy to confuse with the API key string itself. Consider renaming it to something like key_meta/metadata to make the code clearer.
    if matches:
        key = keys[matches[0]]
        table.put_item(
            Item={
                "api_key": matches[0],
                "owner": key["owner"],
                "email": key["email"],

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

sds_data_manager/lambda_code/authorization/lambda_api_key_authorizer.py Outdated
Comment on lines +30 to +36
# Restrict write operations for read-only scope
if scope == "read" and http_method in ("PUT", "POST", "DELETE", "PATCH"):
return False

scope = metadata.get("scope", "")
path = event.get("rawPath") or event.get("path", "")
# Restrict write operations (upload) for read-only scope
if scope == "read" and path.startswith("/api-key/upload"):
return False
Copy link

Copilot AI Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new read-only restrictions only apply when scope == "read". This PR also renames the test scope from read_only to read, which suggests existing DynamoDB records may still have scope="read_only"; those keys would not be restricted from write methods or /api-key/upload by the new logic. Consider treating legacy read_only as equivalent to read (or migrating existing records) so the lock-down actually applies to previously-issued read-only keys.

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

@tech3371 tech3371 Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't have any with read_only. Just read.

@tech3371 tech3371 force-pushed the lock_down_read_access branch from 274d248 to 57df8cf Compare March 6, 2026 15:48
laspsandoval
laspsandoval approved these changes Mar 6, 2026
View reviewed changes
@tech3371
Copy link
Contributor Author

tech3371 commented Mar 10, 2026

I tested it again in dev and read access lock down works and updates and removal of access still works as well.

@tech3371 tech3371 merged commit 459d838 into IMAP-Science-Operations-Center:dev Mar 10, 2026
2 checks passed
@github-project-automation github-project-automation bot moved this to Done in IMAP Mar 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@laspsandoval laspsandoval laspsandoval approved these changes

Assignees

@tech3371 tech3371

Labels

bug Something isn't working enhancement New feature or request

Projects

IMAP
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ENH: Lock down read access for API key

3 participants

@tech3371 @laspsandoval