From 06055501ffae30213aee8c381020faaf662ef93e Mon Sep 17 00:00:00 2001
From: Guillaume Vincent <gvincent@redhat.com>
Date: Thu, 24 Oct 2024 09:48:12 +0200
Subject: [PATCH] Authenticate RHDL requests

Depends-On: https://softwarefactory-project.io/r/c/dci-infra/+/32497
Depends-On: https://softwarefactory-project.io/r/c/python-dciauth/+/32492
Change-Id: I67c7eb7a542b1cfcaf5b8eba45c70c57ab3c8ce3
---
 dci/api/v2/components.py | 15 +++++++++++++--
 dci/settings.py          |  4 +++-
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/dci/api/v2/components.py b/dci/api/v2/components.py
index 32841e925..6825c250e 100644
--- a/dci/api/v2/components.py
+++ b/dci/api/v2/components.py
@@ -27,6 +27,7 @@
 from dci.common import exceptions as dci_exc
 from dci.dci_config import CONFIG
 from dci.db import models2
+from dciauth.signature import HmacAuthBase
 
 
 logger = logging.getLogger(__name__)
@@ -51,9 +52,19 @@ def get_component_file_from_rhdl(user, c_id, filepath):
     rhdl_file_url = os.path.join(
         CONFIG["RHDL_API_URL"], "components", normalized_rhdl_component_filepath
     )
-
+    auth = HmacAuthBase(
+        access_key=CONFIG["RHDL_SERVICE_ACCOUNT_ACCESS_KEY"],
+        secret_key=CONFIG["RHDL_SERVICE_ACCOUNT_SECRET_KEY"],
+        region="us-east-1",
+        service="api",
+        service_key="aws4_request",
+        algorithm="AWS4-HMAC-SHA256",
+    )
     redirect = requests.get(
-        rhdl_file_url, allow_redirects=False, timeout=CONFIG["REQUESTS_TIMEOUT"]
+        rhdl_file_url,
+        allow_redirects=False,
+        auth=auth,
+        timeout=CONFIG["REQUESTS_TIMEOUT"],
     )
     if redirect.status_code != 302:
         raise dci_exc.DCIException(
diff --git a/dci/settings.py b/dci/settings.py
index 5b2c0fde9..4e17f6054 100644
--- a/dci/settings.py
+++ b/dci/settings.py
@@ -116,6 +116,8 @@
 
 CERTIFICATION_URL = "https://access.stage.redhat.com/hydra/rest/cwe/xmlrpc/v2"
 
-RHDL_API_URL = "https://rhdl.distributed-ci.io/api/v1"
+RHDL_API_URL = "https://api.rhdl.distributed-ci.io/api/v1"
+RHDL_SERVICE_ACCOUNT_ACCESS_KEY = os.getenv("RHDL_SERVICE_ACCOUNT_ACCESS_KEY", "")
+RHDL_SERVICE_ACCOUNT_SECRET_KEY = os.getenv("RHDL_SERVICE_ACCOUNT_SECRET_KEY", "")
 
 REQUESTS_TIMEOUT = (3.0, 10.0)