feat: add authz checks to API by shree-iyengar-dls · Pull Request #1539 · DiamondLightSource/blueapi

shree-iyengar-dls · 2026-05-15T08:28:20Z

Require authz checks as part of endpoints that modify state of the blueapi deployment either by running plans or changing existing tasks.

codecov · 2026-05-15T14:25:08Z

Codecov Report

❌ Patch coverage is 98.21429% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 95.89%. Comparing base (0482d81) to head (55c9886).

Files with missing lines	Patch %	Lines
src/blueapi/service/main.py	94.11%	1 Missing ⚠️

Additional details and impacted files

@@                    Coverage Diff                     @@
##           tiled-token-validation    #1539      +/-   ##
==========================================================
+ Coverage                   95.86%   95.89%   +0.02%     
==========================================================
  Files                          44       44              
  Lines                        3292     3338      +46     
==========================================================
+ Hits                         3156     3201      +45     
- Misses                        136      137       +1

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

ZohebShaikh

Looks Good, few comments

tpoliaw · 2026-06-02T11:00:00Z

+):
+    task = runner.run(interface.get_task_by_id, task_id)
+
+    if opa and not opa.admin() and (task and fedid != task.task.metadata.get("user")):


This only checks task access if OPA is configured. Do we want to restrict access based on user name when authn is enabled but authz is not?

shree-iyengar-dls · 2026-06-24T10:04:49Z

 LOGGER = logging.getLogger(__name__)


 class OpaClient:


Nit: might be helpful to have a brief comment explaining the difference between OpaClient and OpaUserClient

shree-iyengar-dls marked this pull request as ready for review May 15, 2026 14:27

shree-iyengar-dls requested a review from a team as a code owner May 15, 2026 14:27

ZohebShaikh reviewed May 15, 2026

View reviewed changes

Comment thread src/blueapi/service/main.py Outdated

shree-iyengar-dls marked this pull request as draft May 18, 2026 15:13

shree-iyengar-dls changed the title ~~feat: add authz dependency injection~~ feat: add authz dependency injections May 20, 2026

tpoliaw force-pushed the add_depedency_injection branch from 27a9865 to ae58c78 Compare June 2, 2026 10:21

tpoliaw changed the base branch from main to submit-task-auth June 2, 2026 10:55

tpoliaw changed the base branch from submit-task-auth to tiled-token-validation June 2, 2026 11:12

tpoliaw force-pushed the tiled-token-validation branch from b575c2b to b6049c8 Compare June 3, 2026 10:49

tpoliaw force-pushed the add_depedency_injection branch from ae58c78 to 8112e4b Compare June 3, 2026 10:49

ZohebShaikh reviewed Jun 4, 2026

View reviewed changes

Comment thread src/blueapi/service/authorization.py Outdated

Comment thread src/blueapi/service/main.py Outdated

Comment thread src/blueapi/config.py

Comment thread src/blueapi/service/main.py Outdated

Comment thread tests/unit_tests/service/test_authorization.py Outdated

tpoliaw force-pushed the tiled-token-validation branch from b6049c8 to 63009c0 Compare June 5, 2026 14:27

tpoliaw force-pushed the add_depedency_injection branch from 8112e4b to a4c6778 Compare June 5, 2026 14:28

tpoliaw force-pushed the tiled-token-validation branch from 63009c0 to 9865265 Compare June 5, 2026 16:01

tpoliaw force-pushed the add_depedency_injection branch from a4c6778 to 4fa20de Compare June 5, 2026 16:01

tpoliaw reviewed Jun 5, 2026

View reviewed changes

tpoliaw force-pushed the tiled-token-validation branch from 9865265 to 41e28ca Compare June 8, 2026 20:05

tpoliaw force-pushed the add_depedency_injection branch from 1168a23 to fa02ed5 Compare June 8, 2026 20:05

tpoliaw marked this pull request as ready for review June 10, 2026 09:24

Alexj9837 self-requested a review June 11, 2026 08:03

tpoliaw force-pushed the tiled-token-validation branch from 41e28ca to 1c0d35f Compare June 23, 2026 13:19

tpoliaw force-pushed the add_depedency_injection branch from 0912158 to 6237ebc Compare June 23, 2026 13:19

tpoliaw force-pushed the tiled-token-validation branch from 1c0d35f to 494c3f6 Compare June 23, 2026 14:28

tpoliaw force-pushed the add_depedency_injection branch from 6237ebc to bcb0423 Compare June 23, 2026 14:28

tpoliaw changed the title ~~feat: add authz dependency injections~~ feat: add authz checks to API Jun 23, 2026

tpoliaw added 4 commits June 23, 2026 16:38

Validate tiled service account configuration at startup

affedf8

Add tests for tiled check

0482d81

Add opa dependency function to create OpaUserClient

170e3d1

test opa dependency function

b3254ea

shree-iyengar-dls and others added 26 commits June 23, 2026 16:38

feat: add auth check dependency injections to task endpoints

ddfeab0

feat: create new access task permission fns and add as dependencies

37524eb

refactor: update rest api version

13093f6

comment out dependency addition in set_state

d7d57ae

refactor: add admin check and check to set state function

4ef3365

Update dependency names

659cf58

Add missing admin check

a669903

Handle missing opa and fix tests

d1cb939

Remove old admin method

b889e20

Use starlette statuses directly

3eb315a

test task submission authz

086953f

Use _config instead of _conf

2d3a564

Re-use instrument session regex

83ae2a6

remove task access check

029bc89

Add match to raises check

4e12a23

Add exception detail

850682b

Let admin see all tasks

2f1d3eb

Start of api authz tests

e720bc4

Make get_tasks async to access authz check

d73d01a

Parametrise filter test to check with and without admin

d1b7302

Add test for deleting tasks

02eba88

Add test for submit without permission

b34600a

Test setting other user's task active

6967b16

Test getting other users task

49b1b97

Add tests for set state

0139c0b

Remove print debugging

55c9886

tpoliaw force-pushed the tiled-token-validation branch from 494c3f6 to 0482d81 Compare June 23, 2026 15:38

tpoliaw force-pushed the add_depedency_injection branch from bcb0423 to 55c9886 Compare June 23, 2026 15:38

Base automatically changed from tiled-token-validation to main June 24, 2026 09:27

shree-iyengar-dls commented Jun 24, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: add authz checks to API#1539

feat: add authz checks to API#1539
shree-iyengar-dls wants to merge 32 commits into
mainfrom
add_depedency_injection

shree-iyengar-dls commented May 15, 2026 •

edited by tpoliaw

Loading

Uh oh!

codecov Bot commented May 15, 2026 •

edited

Loading

Uh oh!

Uh oh!

ZohebShaikh left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

tpoliaw Jun 2, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

shree-iyengar-dls Jun 24, 2026

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

shree-iyengar-dls commented May 15, 2026 • edited by tpoliaw Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov Bot commented May 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

ZohebShaikh left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

tpoliaw Jun 2, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

shree-iyengar-dls Jun 24, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

shree-iyengar-dls commented May 15, 2026 •

edited by tpoliaw

Loading

codecov Bot commented May 15, 2026 •

edited

Loading