From a23362778694adbce77dd3c4310fe55517e46fed Mon Sep 17 00:00:00 2001
From: Albert Snow <ajsnow2012@gmail.com>
Date: Fri, 24 Jan 2025 17:12:20 -0600
Subject: [PATCH] log pub key info

---
 fence/__init__.py               |  4 ++--
 fence/blueprints/data/indexd.py | 27 ++++++++++++++++-----------
 tests/test_drs.py               |  5 ++++-
 3 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/fence/__init__.py b/fence/__init__.py
index e1aec601d..c2c378774 100755
--- a/fence/__init__.py
+++ b/fence/__init__.py
@@ -395,12 +395,12 @@ def _load_keys(app, root_dir):
         root_dir = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
 
     app.keypairs = keys.load_keypairs(os.path.join(root_dir, "keys"))
-
-    app.jwt_public_keys = {
+    pub_keys = {
         config["BASE_URL"]: OrderedDict(
             [(str(keypair.kid), str(keypair.public_key)) for keypair in app.keypairs]
         )
     }
+    app.jwt_public_keys = pub_keys
 
 
 def _setup_oidc_clients(app):
diff --git a/fence/blueprints/data/indexd.py b/fence/blueprints/data/indexd.py
index 85f2c021b..10c379cb4 100755
--- a/fence/blueprints/data/indexd.py
+++ b/fence/blueprints/data/indexd.py
@@ -143,16 +143,19 @@ def get_signed_url_for_file(
     )
 
     prepare_presigned_url_audit_log(requested_protocol, indexed_file)
-    signed_url, authorized_user_from_passport = indexed_file.get_signed_url(
-        requested_protocol,
-        action,
-        expires_in,
-        force_signed_url=force_signed_url,
-        r_pays_project=r_pays_project,
-        file_name=file_name,
-        users_from_passports=users_from_passports,
-        bucket=bucket,
-    )
+    try:
+        signed_url, authorized_user_from_passport = indexed_file.get_signed_url(
+            requested_protocol,
+            action,
+            expires_in,
+            force_signed_url=force_signed_url,
+            r_pays_project=r_pays_project,
+            file_name=file_name,
+            users_from_passports=users_from_passports,
+            bucket=bucket,
+        )
+    except Exception as e:
+        logger.error(str(e))
 
     # a single user from the list was authorized so update the audit log to reflect that
     # users info
@@ -574,7 +577,9 @@ def get_signed_url(
                 )
             # don't check the authorization if the file is public
             # (downloading public files with no auth is fine)
-            if not self.public_acl and not self.check_legacy_authorization(action):
+            not_a_public_acl = not self.public_acl
+            legacy_auth_failed = not self.check_legacy_authorization(action)
+            if not_a_public_acl and legacy_auth_failed:
                 raise Unauthorized(
                     f"You don't have access permission on this file: {self.file_id}"
                 )
diff --git a/tests/test_drs.py b/tests/test_drs.py
index b2f7b8305..e8ef26885 100644
--- a/tests/test_drs.py
+++ b/tests/test_drs.py
@@ -69,6 +69,7 @@ def test_get_presigned_url_with_access_id(
     primary_google_service_account,
     cloud_manager,
     google_signed_url,
+        app,
 ):
     access_id = indexd_client["indexed_file_location"]
     test_guid = "1"
@@ -80,7 +81,7 @@ def test_get_presigned_url_with_access_id(
         + jwt.encode(
             context_claims,
             key=rsa_private_key,
-            headers={"kid": "kid"},
+            headers={"kid": kid},
             algorithm="RS256",
         )
     }
@@ -93,6 +94,8 @@ def test_get_presigned_url_with_access_id(
         logging.warning("Failed to get presigned url with access id")
         log_info = res.__dict__ | {"kid": kid, "cc": context_claims}
         logging.error(log_info)
+        logging.error("keys: ")
+        logging.error(str(list(list(app.jwt_public_keys.items())[0][1].items())))
     assert res.status_code == 200