From ace55618daa8b4cd7eeb3f6d800d0aca69b13531 Mon Sep 17 00:00:00 2001
From: Serghei Mihai <smihai@entrouvert.com>
Date: Fri, 29 Jan 2016 16:08:35 +0100
Subject: [PATCH] fix organization creation and deletion api secret reading
 (#9801)

---
 ckanext/ozwillo_organization_api/plugin.py | 50 ++++++++++++++++--------------
 1 file changed, 26 insertions(+), 24 deletions(-)

diff --git a/ckanext/ozwillo_organization_api/plugin.py b/ckanext/ozwillo_organization_api/plugin.py
index 4c7d48d..0ba41a8 100644
--- a/ckanext/ozwillo_organization_api/plugin.py
+++ b/ckanext/ozwillo_organization_api/plugin.py
@@ -22,33 +22,35 @@ plugin_config_prefix = 'ckanext.ozwillo_organization_api.'
 
 log = logging.getLogger(__name__)
 
-def valid_signature_required(func):
+def valid_signature_required(secret_prefix):
 
     signature_header_name = config.get(plugin_config_prefix + 'signature_header_name',
                                        'X-Hub-Signature')
-    instantiated_secret = config.get(plugin_config_prefix + 'instantiation_secret',
-                                     'secret')
-
-    def wrapper(context, data):
-        if signature_header_name in request.headers:
-            if request.headers[signature_header_name].startswith('sha1='):
-                algo, received_hmac = request.headers[signature_header_name].rsplit('=')
-                computed_hmac = hmac.new(instantiated_secret, request.body, sha1).hexdigest()
-                # the received hmac is uppercase according to
-                # http://doc.ozwillo.com/#ref-3-2-1
-                if received_hmac != computed_hmac.upper():
-                    log.info('Invalid HMAC')
-                    raise logic.NotAuthorized(_('Invalid HMAC'))
+    api_secret = config.get(plugin_config_prefix + secret_prefix +'_secret', 'secret')
+
+    def decorator(func):
+        def wrapper(context, data):
+            if signature_header_name in request.headers:
+                if request.headers[signature_header_name].startswith('sha1='):
+                    algo, received_hmac = request.headers[signature_header_name].rsplit('=')
+                    computed_hmac = hmac.new(api_secret, request.body, sha1).hexdigest()
+                    # the received hmac is uppercase according to
+                    # http://doc.ozwillo.com/#ref-3-2-1
+                    if received_hmac != computed_hmac.upper():
+                        log.info('Invalid HMAC')
+                        raise logic.NotAuthorized(_('Invalid HMAC'))
+                else:
+                    log.info('Invalid HMAC algo')
+                    raise logic.ValidationError(_('Invalid HMAC algo'))
             else:
-                log.info('Invalid HMAC algo')
-                raise logic.ValidationError(_('Invalid HMAC algo'))
-        else:
-            log.info('No HMAC in the header')
-            raise logic.NotAuthorized(_("No HMAC in the header"))
-        return func(context, data)
-    return wrapper
-
-@valid_signature_required
+                log.info('No HMAC in the header')
+                raise logic.NotAuthorized(_("No HMAC in the header"))
+            return func(context, data)
+        return wrapper
+    return decorator
+
+
+@valid_signature_required(secret_prefix='instantiation')
 def create_organization(context, data_dict):
     context['ignore_auth'] = True
     model = context['model']
@@ -149,7 +151,7 @@ def create_organization(context, data_dict):
         log.debug('Validation error "%s" occured while creating organization' % e)
         raise
 
-@valid_signature_required
+@valid_signature_required(secret_prefix='destruction')
 def delete_organization(context, data_dict):
     data_dict['id'] = data_dict.pop('instance_id')
     context['ignore_auth'] = True
-- 
2.7.0