log pub key info

uc-cdis · Jan 24, 2025 · a233627 · a233627
1 parent 4240882
commit a233627
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 14 deletions.
diff --git a/fence/__init__.py b/fence/__init__.py
@@ -395,12 +395,12 @@ def _load_keys(app, root_dir):
         root_dir = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
 
     app.keypairs = keys.load_keypairs(os.path.join(root_dir, "keys"))
-
-    app.jwt_public_keys = {
+    pub_keys = {
         config["BASE_URL"]: OrderedDict(
             [(str(keypair.kid), str(keypair.public_key)) for keypair in app.keypairs]
         )
     }
+    app.jwt_public_keys = pub_keys
 
 
 def _setup_oidc_clients(app):

diff --git a/fence/blueprints/data/indexd.py b/fence/blueprints/data/indexd.py
@@ -143,16 +143,19 @@ def get_signed_url_for_file(
     )
 
     prepare_presigned_url_audit_log(requested_protocol, indexed_file)
-    signed_url, authorized_user_from_passport = indexed_file.get_signed_url(
-        requested_protocol,
-        action,
-        expires_in,
-        force_signed_url=force_signed_url,
-        r_pays_project=r_pays_project,
-        file_name=file_name,
-        users_from_passports=users_from_passports,
-        bucket=bucket,
-    )
+    try:
+        signed_url, authorized_user_from_passport = indexed_file.get_signed_url(
+            requested_protocol,
+            action,
+            expires_in,
+            force_signed_url=force_signed_url,
+            r_pays_project=r_pays_project,
+            file_name=file_name,
+            users_from_passports=users_from_passports,
+            bucket=bucket,
+        )
+    except Exception as e:
+        logger.error(str(e))
 
     # a single user from the list was authorized so update the audit log to reflect that
     # users info
@@ -574,7 +577,9 @@ def get_signed_url(
                 )
             # don't check the authorization if the file is public
             # (downloading public files with no auth is fine)
-            if not self.public_acl and not self.check_legacy_authorization(action):
+            not_a_public_acl = not self.public_acl
+            legacy_auth_failed = not self.check_legacy_authorization(action)
+            if not_a_public_acl and legacy_auth_failed:
                 raise Unauthorized(
                     f"You don't have access permission on this file: {self.file_id}"
                 )

diff --git a/tests/test_drs.py b/tests/test_drs.py
@@ -69,6 +69,7 @@ def test_get_presigned_url_with_access_id(
     primary_google_service_account,
     cloud_manager,
     google_signed_url,
+        app,
 ):
     access_id = indexd_client["indexed_file_location"]
     test_guid = "1"
@@ -80,7 +81,7 @@ def test_get_presigned_url_with_access_id(
         + jwt.encode(
             context_claims,
             key=rsa_private_key,
-            headers={"kid": "kid"},
+            headers={"kid": kid},
             algorithm="RS256",
         )
     }
@@ -93,6 +94,8 @@ def test_get_presigned_url_with_access_id(
         logging.warning("Failed to get presigned url with access id")
         log_info = res.__dict__ | {"kid": kid, "cc": context_claims}
         logging.error(log_info)
+        logging.error("keys: ")
+        logging.error(str(list(list(app.jwt_public_keys.items())[0][1].items())))
     assert res.status_code == 200