From e6caea0052e246fb7d1c283129b4e042f5e93fa0 Mon Sep 17 00:00:00 2001
From: phact <estevezsebastian@gmail.com>
Date: Tue, 7 Oct 2025 14:53:42 -0400
Subject: [PATCH] log hashes

---
 Makefile                                |  8 ++++----
 tests/integration/test_api_endpoints.py | 14 +++++++++++---
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/Makefile b/Makefile
index a0fffd36..7d24ae2e 100644
--- a/Makefile
+++ b/Makefile
@@ -213,12 +213,12 @@ test-ci:
 	done; \
 	echo "Checking key files..."; \
 	ls -la keys/; \
-	echo "Public key content:"; \
-	cat keys/public_key.pem; \
-	echo "Private key content (first 5 lines):"; \
-	head -5 keys/private_key.pem; \
+	echo "Public key hash:"; \
+	sha256sum keys/public_key.pem | cut -d' ' -f1 | cut -c1-16; \
 	echo "Generating test JWT token..."; \
 	TEST_TOKEN=$$(uv run python -c "from src.session_manager import SessionManager, AnonymousUser; sm = SessionManager('test'); print(sm.create_jwt_token(AnonymousUser()))"); \
+	echo "Token hash:"; \
+	echo "$$TEST_TOKEN" | sha256sum | cut -d' ' -f1 | cut -c1-16; \
 	echo "Waiting for OpenSearch with JWT auth to work..."; \
 	JWT_AUTH_READY=false; \
 	for i in $$(seq 1 60); do \
diff --git a/tests/integration/test_api_endpoints.py b/tests/integration/test_api_endpoints.py
index caf7afff..4593df12 100644
--- a/tests/integration/test_api_endpoints.py
+++ b/tests/integration/test_api_endpoints.py
@@ -16,22 +16,30 @@ async def wait_for_service_ready(client: httpx.AsyncClient, timeout_s: float = 3
     # First test OpenSearch JWT directly
     from src.session_manager import SessionManager, AnonymousUser
     import os
+    import hashlib
     sm = SessionManager("test")
     test_token = sm.create_jwt_token(AnonymousUser())
-    print(f"[DEBUG] Generated test JWT token (first 50 chars): {test_token[:50]}...")
+    token_hash = hashlib.sha256(test_token.encode()).hexdigest()[:16]
+    print(f"[DEBUG] Generated test JWT token hash: {token_hash}")
     print(f"[DEBUG] Using key paths: private={sm.private_key_path}, public={sm.public_key_path}")
+    with open(sm.public_key_path, 'rb') as f:
+        pub_key_hash = hashlib.sha256(f.read()).hexdigest()[:16]
+    print(f"[DEBUG] Public key hash: {pub_key_hash}")
 
     # Test OpenSearch JWT auth directly
     opensearch_url = f"https://{os.getenv('OPENSEARCH_HOST', 'localhost')}:{os.getenv('OPENSEARCH_PORT', '9200')}"
+    print(f"[DEBUG] Testing JWT auth directly against: {opensearch_url}/documents/_search")
     async with httpx.AsyncClient(verify=False) as os_client:
         r_os = await os_client.post(
             f"{opensearch_url}/documents/_search",
             headers={"Authorization": f"Bearer {test_token}"},
             json={"query": {"match_all": {}}, "size": 0}
         )
-        print(f"[DEBUG] Direct OpenSearch JWT test: status={r_os.status_code}, body={r_os.text[:300]}")
+        print(f"[DEBUG] Direct OpenSearch JWT test: status={r_os.status_code}, body={r_os.text[:500]}")
         if r_os.status_code == 401:
-            print(f"[DEBUG] OpenSearch rejected JWT! This means OIDC config is not working.")
+            print(f"[DEBUG] ❌ OpenSearch rejected JWT! OIDC config not working.")
+        else:
+            print(f"[DEBUG] ✓ OpenSearch accepted JWT!")
 
     deadline = asyncio.get_event_loop().time() + timeout_s
     last_err = None