feat: add OrgAuthToken model

[mydea]

This adds a new OrgAuthToken model:

• Tied to an organization
• Has a token which is expected to be a JWT token
• Add two basic utilities for token generation/parsing
• It is possible to assign project(s) to a token

ref #50144

based on RFC getsentry/rfcs#91

[mydea]

Not 100% sure what I should make the max length here. on the RFC there is a comment that we should store this in hashed form, if we do this I guess we need a more generic length here...?

[iambriccardo]

@mitsuhiko why would we need to store it hashed?

[mydea]

see: getsentry/rfcs#91 (comment)

[iambriccardo]

Great thanks! I supposed it was for security reasons then it makes sense.

Here we should make the length, the length of the hash. I don't expect we will need to store the token in any other format besides the hashed one.

[markstory]

Are you planning on storing the encoded JWT? or only the important claims within the token?

[mydea]

I updated this to be explicit that we store token_hashed in the DB.

[codecov]

Codecov Report

Merging #50409 (7518568) into master (12d0ad9) will increase coverage by 1.01%.
The diff coverage is 87.87%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #50409      +/-   ##
==========================================
+ Coverage   80.14%   81.15%   +1.01%     
==========================================
  Files        4843     4845       +2     
  Lines      203733   203799      +66     
  Branches    11130    11130              
==========================================
+ Hits       163275   165401    +2126     
+ Misses      40212    38152    -2060     
  Partials      246      246              

Impacted Files	Coverage Δ
src/sentry/models/orgauthtoken.py	86.66% <86.66%> (ø)
src/sentry/utils/security/orgauthtoken_jwt.py	90.00% <90.00%> (ø)
src/sentry/models/__init__.py	100.00% <100.00%> (ø)

... and 113 files with indirect coverage changes

[mydea]

Note: I put these new models into the control silo, mirroring the api token model, I think that is the correct place?

[iambriccardo]

You should put this model in orgauthtoken.py since it belongs to the same cluster of models related to org auth tokens.

[mydea]

after talking this through with @mitsuhiko , we decided to skip the projects for now!

[iambriccardo]

Due to the nature of the relationship, it's not a big deal at all for the db.

[iambriccardo]

@mitsuhiko why would we need to store it hashed?

[iambriccardo]

Should we statically type the list of scopes? Having such a generic field is a bit suspicious.

[mydea]

for reference, this is how the scope list is currently stored in other models. But we may improve on this here :D

[iambriccardo]

If possible i would like to bound it list of elements, maybe like:

from django.db import models
from django.core.exceptions import ValidationError

class MyModel(models.Model):
    OPTIONS = [
        ('option1', 'Option 1'),
        ('option2', 'Option 2'),
        ('option3', 'Option 3'),
    ]

    choices_array = models.ArrayField(
        models.TextField(),
        validators=[],
    )

    def validate_choices_array(value):
        for choice in value:
            if choice not in dict(MyModel.OPTIONS).keys():
                raise ValidationError(f"{choice} is not a valid choice.")

    choices_array.validators.append(validate_choices_array)

[mydea]

Good point, I implemented this!

[iambriccardo]

user_added refers to the User that created this token? If so, I would call this user or added_by.

[mydea]

yes, that's the idea - I'll rename it to added_by (IMHO user is a potentially confusing as it may imply this token belongs to that user, which it doesn't).

[iambriccardo]

Oh yeah, that's a good point!

[iambriccardo]

Instead of having a null field, we could have it default to timezone.now and update it when the user uses it, but this changes the semantics. I don't know which ones are more representative of the situation.

[mydea]

IMHO it's useful to know that the token was never used, I'd say?

[iambriccardo]

You could technically infer it if the two dates are equal but ofc it's not the best way. My main concern was that having nullability in the db is not very nice but I understand your point.

[markstory]

Are you planning on storing the encoded JWT? or only the important claims within the token?

[markstory]

Are you sure you want cascading here? If the last used project is deleted should the org token be deleted?

[iambriccardo]

Very good point @markstory, I missed this.

[iambriccardo]

@mydea we can just put the project id here as a BoundedBigIntegerField and forget about possible accidental cascading deletions.

[mydea]

It's a good point, true! So it should def. not cascade, but should we use HubridCloudForeignKey or BoundedBigIntegerField then? Happy to use BoundedBigIntegerField, just wanting to make sure to get the hybrid could stuff right...!

[mydea]

(BTW also created_by should not cascade but set to null as well, adjusted that too!)

[markstory]

Should this be use even when the instance is self-hosted/single-tenant?

[mydea]

yeah, valid question... took this from here: https://github.com/getsentry/rfcs/pull/91/files#diff-3109d1f30b4b81085e85d841deafefb0d1b43cc5345c64514475512a4ce9fdeeR94

IMHO it should be something consistent that says "this is from sentry", and not differ when it is self-hosted/single-tenant. Not sure if sentry.io is the best value for this then, but I'd say it's fine, maybe (just "Sentry" may also be ambiguous, ...)

[markstory]

I think you'll also need the organizations 'root' URL as in the future, we'll have multiple regions (with different API urls). While customer traffic can continue using https://sentry.io/api/0/** there will be latency overhead (and cost to us) so we should encourage using regional domains instead.

[mydea]

is this different from "sentry_site": settings.SENTRY_OPTIONS["system.url-prefix"],? that is what this is designed to do (but honestly I am not 100% sure what fields are what there, @mitsuhiko pointed me to this settings field)

So to be clear, the only point of the sentry_site field is exactly what you mentioned, if we should store something else in there, happy to be pointed to it!

[markstory]

In the future, organizations will have a couple URLs:

• sentryUrl which is our root domain and is the same as system.url-prefix. ex. sentry.io
• organizationUrl which is domain for the organization's UI. ex acme.sentry.io
• regionUrl Which is the domain that the organization's API endpoints are available on. ex us.sentry.io

Any API requests sent to sentryUrl will be routed to the correct region, but will suffer a latency penalty (because we're proxying the request to the region) and the request will go to the US (this can matter for EU customers).

For this scenario, I think you'll want both the sentryUrl and regionUrl available in the JWT. There are a small number of API endpoints that are only available on sentryUrl (users, integrations, sentry apps).

[mydea]

where do I get regionUrl from? (I left a comment in the RFC as well to make sure this is aligned - I'd go with sentry_url and sentry_region_url then)

[iambriccardo]

Suggested change

	project_last_used = HybridCloudForeignKey(
	"sentry.Project", null=True, blank=True, on_delete="cascade"
	)
	project_last_used = BoundedBigIntegerFieldd(db_index=True)

[mydea]

is this preferred over the HybridCouldForeignKey? 🤔 Feels like that is designed for exactly this use case, but honestly not entirely sure... 😅

[iambriccardo]

The other option would be to use HybridCloudForeignKey("sentry.Project", null=True, blank=True, on_delete="SET_NULL")

[iambriccardo]

I don't have the expertise to judge what is better, since I lack in-depth knowledge of hybrid cloud. @markstory could you give an input here, thanks!

[AniketDas-Tekky]

Copying my comment from the issue:
#50144 (comment)

Basically, is there a tech spec for this? And have we properly investigated what introducing a new token type means?

[github-actions]

This PR has a migration; here is the generated SQL for src/sentry/migrations/0483_add_orgauthtoken.py ()

--
-- Create model OrgAuthToken
--
CREATE TABLE "sentry_orgauthtoken" ("id" bigserial NOT NULL PRIMARY KEY, "organization_id" bigint NOT NULL, "token_hashed" varchar(3000) NOT NULL UNIQUE, "token_last_characters" varchar(4) NULL, "name" varchar(255) NOT NULL, "scope_list" text[] NULL, "date_added" timestamp with time zone NOT NULL, "date_last_used" timestamp with time zone NULL, "project_last_used_id" bigint NULL, "date_deactivated" timestamp with time zone NULL, "created_by_id" integer NULL);
ALTER TABLE "sentry_orgauthtoken" ADD CONSTRAINT "sentry_orgauthtoken_created_by_id_5e2288f9_fk_auth_user_id" FOREIGN KEY ("created_by_id") REFERENCES "auth_user" ("id") DEFERRABLE INITIALLY DEFERRED NOT VALID;
ALTER TABLE "sentry_orgauthtoken" VALIDATE CONSTRAINT "sentry_orgauthtoken_created_by_id_5e2288f9_fk_auth_user_id";
CREATE INDEX CONCURRENTLY "sentry_orgauthtoken_organization_id_17552a60" ON "sentry_orgauthtoken" ("organization_id");
CREATE INDEX CONCURRENTLY "sentry_orgauthtoken_token_hashed_4c36306d_like" ON "sentry_orgauthtoken" ("token_hashed" varchar_pattern_ops);
CREATE INDEX CONCURRENTLY "sentry_orgauthtoken_project_last_used_id_0b9aa639" ON "sentry_orgauthtoken" ("project_last_used_id");
CREATE INDEX CONCURRENTLY "sentry_orgauthtoken_created_by_id_5e2288f9" ON "sentry_orgauthtoken" ("created_by_id");

[mydea]

Copying my comment from the issue: #50144 (comment)

Basically, is there a tech spec for this? And have we properly investigated what introducing a new token type means?

Hey, there is an RFC getsentry/rfcs#91 by @mitsuhiko. If you have any concerns about this on a fundamental level, that's the place to discuss this, I guess. My understanding is that the basic decision that we want to add new org-level tokens has been taken, but @mitsuhiko can probably give you more information if you have more fundamental questions!

[iambriccardo]

PR LGTM but I can't judge the usage of the HybridCloudForeignKey. The only thing I can say is that semantically it makes sense.

[iambriccardo]

PR LGTM but I can't judge the usage of the HybridCloudForeignKey. The only thing I can say is that semantically it makes sense.

file isn't in the review any more

[github-actions]

This PR has a migration; here is the generated SQL for src/sentry/migrations/0487_add_orgauthtoken.py ()

--
-- Create model OrgAuthToken
--
CREATE TABLE "sentry_orgauthtoken" ("id" bigserial NOT NULL PRIMARY KEY, "organization_id" bigint NOT NULL, "token_hashed" text NOT NULL UNIQUE, "token_last_characters" varchar(4) NULL, "name" varchar(255) NOT NULL, "scope_list" text[] NULL, "date_added" timestamp with time zone NOT NULL, "date_last_used" timestamp with time zone NULL, "project_last_used_id" bigint NULL, "date_deactivated" timestamp with time zone NULL, "created_by_id" integer NULL);
ALTER TABLE "sentry_orgauthtoken" ADD CONSTRAINT "sentry_orgauthtoken_created_by_id_5e2288f9_fk_auth_user_id" FOREIGN KEY ("created_by_id") REFERENCES "auth_user" ("id") DEFERRABLE INITIALLY DEFERRED NOT VALID;
ALTER TABLE "sentry_orgauthtoken" VALIDATE CONSTRAINT "sentry_orgauthtoken_created_by_id_5e2288f9_fk_auth_user_id";
CREATE INDEX CONCURRENTLY "sentry_orgauthtoken_organization_id_17552a60" ON "sentry_orgauthtoken" ("organization_id");
CREATE INDEX CONCURRENTLY "sentry_orgauthtoken_token_hashed_4c36306d_like" ON "sentry_orgauthtoken" ("token_hashed" text_pattern_ops);
CREATE INDEX CONCURRENTLY "sentry_orgauthtoken_project_last_used_id_0b9aa639" ON "sentry_orgauthtoken" ("project_last_used_id");
CREATE INDEX CONCURRENTLY "sentry_orgauthtoken_created_by_id_5e2288f9" ON "sentry_orgauthtoken" ("created_by_id");

[github-actions]

This PR has a migration; here is the generated SQL for src/sentry/migrations/0488_add_orgauthtoken.py ()

--
-- Create model OrgAuthToken
--
CREATE TABLE "sentry_orgauthtoken" ("id" bigserial NOT NULL PRIMARY KEY, "organization_id" bigint NOT NULL, "token_hashed" text NOT NULL UNIQUE, "token_last_characters" varchar(4) NULL, "name" varchar(255) NOT NULL, "scope_list" text[] NULL, "date_added" timestamp with time zone NOT NULL, "date_last_used" timestamp with time zone NULL, "project_last_used_id" bigint NULL, "date_deactivated" timestamp with time zone NULL, "created_by_id" integer NULL);
ALTER TABLE "sentry_orgauthtoken" ADD CONSTRAINT "sentry_orgauthtoken_created_by_id_5e2288f9_fk_auth_user_id" FOREIGN KEY ("created_by_id") REFERENCES "auth_user" ("id") DEFERRABLE INITIALLY DEFERRED NOT VALID;
ALTER TABLE "sentry_orgauthtoken" VALIDATE CONSTRAINT "sentry_orgauthtoken_created_by_id_5e2288f9_fk_auth_user_id";
CREATE INDEX CONCURRENTLY "sentry_orgauthtoken_organization_id_17552a60" ON "sentry_orgauthtoken" ("organization_id");
CREATE INDEX CONCURRENTLY "sentry_orgauthtoken_token_hashed_4c36306d_like" ON "sentry_orgauthtoken" ("token_hashed" text_pattern_ops);
CREATE INDEX CONCURRENTLY "sentry_orgauthtoken_project_last_used_id_0b9aa639" ON "sentry_orgauthtoken" ("project_last_used_id");
CREATE INDEX CONCURRENTLY "sentry_orgauthtoken_created_by_id_5e2288f9" ON "sentry_orgauthtoken" ("created_by_id");

I think this has been addressed!