From 444d6c00dc397e7a107b9e4df87ce7c52ba3510c Mon Sep 17 00:00:00 2001
From: grugna <graglia01@gmail.com>
Date: Tue, 10 Dec 2024 10:05:11 -0600
Subject: [PATCH] Update auth.py

---
 fence/authz/auth.py | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/fence/authz/auth.py b/fence/authz/auth.py
index 8fe2121b9..585446700 100644
--- a/fence/authz/auth.py
+++ b/fence/authz/auth.py
@@ -6,9 +6,10 @@
 from fence.errors import Forbidden, Unauthorized, NotFound
 from fence.jwt.utils import get_jwt_header
 from fence.config import config
+from pcdcutils.gen3 import Gen3RequestManager
 
 
-def check_arborist_auth(resource, method, constraints=None):
+def check_arborist_auth(resource, method, constraints=None, check_signature=False):
     """
     Check with arborist to verify the authz for a request.
 
@@ -47,7 +48,16 @@ def wrapper(*f_args, **f_kwargs):
                 methods=method,
                 resources=resource,
             ):
-                raise Forbidden("user does not have privileges to access this endpoint")
+                if check_signature:
+                    g3rm = Gen3RequestManager(headers=flask.request.headers)
+                    if g3rm.is_gen3_signed():
+                        data = flask.request.get_json()
+                        if not g3rm.valid_gen3_signature(json.dumps(data), config):
+                            raise Forbidden("Gen3 signed request is invalid")
+                    else:
+                        raise Forbidden("user does not have privileges to access this endpoint and the signature is not present.")
+                else:
+                    raise Forbidden("user does not have privileges to access this endpoint")
             return f(*f_args, **f_kwargs)
 
         return wrapper