From d06826d99f0ceb4ecc5e3b461d9c7b5ca26abd18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Wed, 9 Nov 2016 17:19:39 +0100
Subject: [PATCH] misc: use signed URL to call authentic (#12467)

---
 welco/contacts/views.py | 15 +++++++++++----
 welco/settings.py       |  2 --
 welco/utils.py          |  3 ---
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/welco/contacts/views.py b/welco/contacts/views.py
index 40bc9c9..edec7b1 100644
--- a/welco/contacts/views.py
+++ b/welco/contacts/views.py
@@ -28,7 +28,7 @@ from django.template import RequestContext
 from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import TemplateView, FormView
 
-from welco.utils import get_wcs_data, get_authentic_url
+from welco.utils import get_wcs_data, sign_url
 
 from .forms import ContactAddForm
 
@@ -133,11 +133,18 @@ class ContactAdd(FormView):
         msg['password'] = str(random.SystemRandom().random())
         msg['send_registration_email'] = True
 
+        authentic_site = settings.KNOWN_SERVICES.get('authentic').values()[0]
+        authentic_url = authentic_site.get('url')
+        authentic_orig = authentic_site.get('orig')
+        authentic_secret = authentic_site.get('secret')
+
+        url = authentic_url + 'api/users/?orig=%s' % authentic_orig
+        signed_url = sign_url(url, authentic_secret)
+
         authentic_response = requests.post(
-                get_authentic_url() + 'api/users/',
+                signed_url,
                 data=json.dumps(msg),
-                headers={'Content-type': 'application/json'},
-                auth=settings.AUTHENTIC_AUTH_TUPLE)
+                headers={'Content-type': 'application/json'})
 
         user_uuid = authentic_response.json().get('uuid')
         for i in range(50):
diff --git a/welco/settings.py b/welco/settings.py
index bae82dc..cb356ae 100644
--- a/welco/settings.py
+++ b/welco/settings.py
@@ -172,8 +172,6 @@ VALIDATION_STEPS = {
     'mail': ['done-qualif', 'done-dgs', 'done-dga'],
 }
 
-AUTHENTIC_AUTH_TUPLE = ('username', 'password')
-
 # mapping of channel to group/role *names*
 CHANNEL_ROLES = {
     'mail': [],
diff --git a/welco/utils.py b/welco/utils.py
index dcc0506..549da18 100644
--- a/welco/utils.py
+++ b/welco/utils.py
@@ -56,9 +56,6 @@ def sign_string(s, key, algo='sha256', timedelta=30):
     hash = hmac.HMAC(str(key), digestmod=digestmod, msg=s)
     return hash.digest()
 
-def get_authentic_url():
-    return settings.KNOWN_SERVICES.get('authentic').items()[0][1]['url']
-
 def get_wcs_services():
     return settings.KNOWN_SERVICES.get('wcs')