From b30590c881c13546b4d7bcac1f4238f71bea66d0 Mon Sep 17 00:00:00 2001
From: John Duggan <dugganjw@ornl.gov>
Date: Fri, 13 Mar 2026 09:39:25 -0400
Subject: [PATCH] Only hold the refresh lock for as long as is necessary and
 log lock attempts

---
 .gitlab-ci.yml                |  4 ++--
 lib/galaxy/authnz/managers.py | 36 +++++++++++++++++++----------------
 2 files changed, 22 insertions(+), 18 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7c0209c6a9..454f37c8a3 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,8 +9,8 @@ variables:
   CONTAINER_GALAXY_URL: "${NDIP_DOCKER_REPOSITORY}/${CI_PROJECT_PATH}"
   CONTAINER_GALAXY_BASE_URL: "${CONTAINER_GALAXY_URL}/base"
   CONTAINER_GALAXY_COMMIT_URL: "${CONTAINER_GALAXY_URL}/commit"
-  GALAXY_VERSION_PYTHON: 25.1.dev4+ornl
-  GALAXY_VERSION_DOCKER: 25.1.dev4.ornl
+  GALAXY_VERSION_PYTHON: 25.1.dev5+ornl
+  GALAXY_VERSION_DOCKER: 25.1.dev5.ornl
 
 # This import is for the func_rse_docker_* functions
 before_script:
diff --git a/lib/galaxy/authnz/managers.py b/lib/galaxy/authnz/managers.py
index 54695166fa..bd88d1c3f7 100644
--- a/lib/galaxy/authnz/managers.py
+++ b/lib/galaxy/authnz/managers.py
@@ -305,24 +305,28 @@ class AuthnzManager:
             raise exceptions.ItemAccessibilityException(msg)
 
     def refresh_expiring_oidc_tokens_for_provider(self, trans, auth):
-        with open("/tmp/galaxy_refresh_lock", "w") as lock:
-            try:
+        try:
+            success, message, backend = self._get_authnz_backend(auth.provider)
+            if success is False:
+                msg = f"An error occurred when refreshing user token on `{auth.provider}` identity provider: {message}"
+                log.error(msg)
+                return False
+            log.debug("Attempting to acquire refresh lock")
+            with open("/tmp/galaxy_refresh_lock", "w") as lock:
                 fcntl.flock(lock, fcntl.LOCK_EX | fcntl.LOCK_NB)
-                success, message, backend = self._get_authnz_backend(auth.provider)
-                if success is False:
-                    msg = f"An error occurred when refreshing user token on `{auth.provider}` identity provider: {message}"
-                    log.error(msg)
-                    return False
+                log.debug("Acquired refresh lock")
                 refreshed = backend.refresh(trans.sa_session, auth, 30)
-                if refreshed:
-                    log.debug(f"Refreshed user token via `{auth.provider}` identity provider")
-                return True
-            except BlockingIOError:
-                log.debug("Another process is refreshing, skipping")
-                return True
-            except Exception as e:
-                log.exception("An error occurred when refreshing user token")
-                return False
+            if refreshed:
+                log.debug(
+                    f"Refreshed user token via `{auth.provider}` identity provider"
+                )
+            return True
+        except BlockingIOError:
+            log.debug("Another process is refreshing, skipping")
+            return True
+        except Exception as e:
+            log.exception(f"An error occurred when refreshing user token: {str(e)}")
+            return False
 
     def refresh_expiring_oidc_tokens(self, trans, user=None):
         user = trans.user or user
-- 
GitLab