New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add OrgAuthToken
model
#50409
feat: add OrgAuthToken
model
#50409
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
# Generated by Django 2.2.28 on 2023-06-14 10:24 | ||
|
||
import django.utils.timezone | ||
from django.conf import settings | ||
from django.db import migrations, models | ||
|
||
import sentry.db.models.fields.array | ||
import sentry.db.models.fields.bounded | ||
import sentry.db.models.fields.foreignkey | ||
import sentry.db.models.fields.hybrid_cloud_foreign_key | ||
import sentry.models.orgauthtoken | ||
from sentry.new_migrations.migrations import CheckedMigration | ||
|
||
|
||
class Migration(CheckedMigration): | ||
# This flag is used to mark that a migration shouldn't be automatically run in production. For | ||
# the most part, this should only be used for operations where it's safe to run the migration | ||
# after your code has deployed. So this should not be used for most operations that alter the | ||
# schema of a table. | ||
# Here are some things that make sense to mark as dangerous: | ||
# - Large data migrations. Typically we want these to be run manually by ops so that they can | ||
# be monitored and not block the deploy for a long period of time while they run. | ||
# - Adding indexes to large tables. Since this can take a long time, we'd generally prefer to | ||
# have ops run this and not block the deploy. Note that while adding an index is a schema | ||
# change, it's completely safe to run the operation after the code has deployed. | ||
is_dangerous = False | ||
|
||
dependencies = [ | ||
("sentry", "0487_add_indexes_to_bundles"), | ||
] | ||
|
||
operations = [ | ||
migrations.CreateModel( | ||
name="OrgAuthToken", | ||
fields=[ | ||
( | ||
"id", | ||
sentry.db.models.fields.bounded.BoundedBigAutoField( | ||
primary_key=True, serialize=False | ||
), | ||
), | ||
( | ||
"organization_id", | ||
sentry.db.models.fields.hybrid_cloud_foreign_key.HybridCloudForeignKey( | ||
"sentry.Organization", db_index=True, on_delete="CASCADE" | ||
), | ||
), | ||
("token_hashed", models.TextField(unique=True)), | ||
("token_last_characters", models.CharField(max_length=4, null=True)), | ||
("name", models.CharField(max_length=255)), | ||
( | ||
"scope_list", | ||
sentry.db.models.fields.array.ArrayField( | ||
null=True, validators=[sentry.models.orgauthtoken.validate_scope_list] | ||
), | ||
), | ||
("date_added", models.DateTimeField(default=django.utils.timezone.now)), | ||
("date_last_used", models.DateTimeField(blank=True, null=True)), | ||
( | ||
"project_last_used_id", | ||
sentry.db.models.fields.hybrid_cloud_foreign_key.HybridCloudForeignKey( | ||
"sentry.Project", blank=True, db_index=True, null=True, on_delete="SET_NULL" | ||
), | ||
), | ||
("date_deactivated", models.DateTimeField(blank=True, null=True)), | ||
( | ||
"created_by", | ||
sentry.db.models.fields.foreignkey.FlexibleForeignKey( | ||
blank=True, null=True, on_delete="SET_NULL", to=settings.AUTH_USER_MODEL | ||
), | ||
), | ||
], | ||
options={ | ||
"db_table": "sentry_orgauthtoken", | ||
}, | ||
), | ||
] |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
from __future__ import annotations | ||
|
||
from django.core.exceptions import ValidationError | ||
from django.db import models | ||
from django.utils import timezone | ||
from django.utils.encoding import force_text | ||
|
||
from sentry.conf.server import SENTRY_SCOPES | ||
from sentry.db.models import ( | ||
ArrayField, | ||
BaseManager, | ||
FlexibleForeignKey, | ||
Model, | ||
control_silo_only_model, | ||
sane_repr, | ||
) | ||
from sentry.db.models.fields.hybrid_cloud_foreign_key import HybridCloudForeignKey | ||
from sentry.models.project import Project | ||
|
||
|
||
def validate_scope_list(value): | ||
for choice in value: | ||
if choice not in SENTRY_SCOPES: | ||
raise ValidationError(f"{choice} is not a valid scope.") | ||
|
||
|
||
@control_silo_only_model | ||
class OrgAuthToken(Model): | ||
__include_in_export__ = True | ||
|
||
organization_id = HybridCloudForeignKey("sentry.Organization", null=False, on_delete="CASCADE") | ||
# The JWT token in hashed form | ||
token_hashed = models.TextField(unique=True, null=False) | ||
# An optional representation of the last characters of the original token, to be shown to the user | ||
token_last_characters = models.CharField(max_length=4, null=True) | ||
name = models.CharField(max_length=255, null=False) | ||
scope_list = ArrayField( | ||
models.TextField(), | ||
validators=[validate_scope_list], | ||
) | ||
|
||
created_by = FlexibleForeignKey("sentry.User", null=True, blank=True, on_delete="SET_NULL") | ||
date_added = models.DateTimeField(default=timezone.now, null=False) | ||
date_last_used = models.DateTimeField(null=True, blank=True) | ||
project_last_used_id = HybridCloudForeignKey( | ||
"sentry.Project", null=True, blank=True, on_delete="SET_NULL" | ||
) | ||
date_deactivated = models.DateTimeField(null=True, blank=True) | ||
|
||
objects = BaseManager(cache_fields=("token_hashed",)) | ||
|
||
class Meta: | ||
app_label = "sentry" | ||
db_table = "sentry_orgauthtoken" | ||
|
||
__repr__ = sane_repr("organization_id", "token_hashed") | ||
|
||
def __str__(self): | ||
return force_text(self.token_hashed) | ||
|
||
def get_audit_log_data(self): | ||
return {"scopes": self.get_scopes()} | ||
|
||
def get_scopes(self): | ||
return self.scope_list | ||
|
||
def has_scope(self, scope): | ||
return scope in self.get_scopes() | ||
|
||
def project_last_used(self) -> Project | None: | ||
if self.project_last_used_id is None: | ||
return None | ||
|
||
return Project.objects.get(id=self.project_last_used_id) | ||
|
||
def is_active(self) -> bool: | ||
return self.date_deactivated is None |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
from datetime import datetime | ||
from uuid import uuid4 | ||
|
||
from django.conf import settings | ||
|
||
from sentry.utils import jwt | ||
|
||
SENTRY_JWT_PREFIX = "sntrys_" | ||
|
||
|
||
def generate_token(org_slug: str, region_url: str): | ||
jwt_payload = { | ||
"iss": "sentry.io", | ||
"iat": datetime.utcnow(), | ||
"nonce": uuid4().hex, | ||
"sentry_url": settings.SENTRY_OPTIONS["system.url-prefix"], | ||
"sentry_region_url": region_url, | ||
"sentry_org": org_slug, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think you'll also need the organizations 'root' URL as in the future, we'll have multiple regions (with different API urls). While customer traffic can continue using There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. is this different from So to be clear, the only point of the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In the future, organizations will have a couple URLs:
Any API requests sent to For this scenario, I think you'll want both the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. where do I get |
||
} | ||
jwt_token = jwt.encode(jwt_payload, "", algorithm="none") | ||
return f"{SENTRY_JWT_PREFIX}{jwt_token}" | ||
|
||
|
||
def parse_token(token: str): | ||
if not token.startswith(SENTRY_JWT_PREFIX): | ||
return None | ||
token = token[7:] | ||
try: | ||
jwt_payload = jwt.peek_claims(token) | ||
if jwt_payload.get("iss") != "sentry.io": | ||
return None | ||
return jwt_payload | ||
except jwt.DecodeError: | ||
return None |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
import pytest | ||
from django.core.exceptions import ValidationError | ||
|
||
from sentry.models import Organization, OrgAuthToken | ||
from sentry.testutils import TestCase | ||
from sentry.testutils.silo import region_silo_test | ||
|
||
|
||
@region_silo_test(stable=True) | ||
class OrgAuthTokenTest(TestCase): | ||
def test_get_scopes(self): | ||
token = OrgAuthToken(scope_list=["project:read", "project:releases"]) | ||
assert token.get_scopes() == ["project:read", "project:releases"] | ||
|
||
def test_has_scope(self): | ||
token = OrgAuthToken(scope_list=["project:read", "project:releases"]) | ||
assert token.has_scope("project:read") | ||
assert token.has_scope("project:releases") | ||
assert not token.has_scope("project:write") | ||
|
||
def test_validate_scope(self): | ||
org = Organization(name="Test org", slug="test-org") | ||
token = OrgAuthToken( | ||
organization_id=org.id, | ||
name="test token", | ||
token_hashed="test-token", | ||
scope_list=["project:xxxx"], | ||
) | ||
|
||
with pytest.raises( | ||
ValidationError, | ||
match="project:xxxx is not a valid scope.", | ||
): | ||
token.full_clean() |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
from datetime import datetime | ||
|
||
from sentry.testutils import TestCase | ||
from sentry.utils import jwt | ||
from sentry.utils.security.orgauthtoken_jwt import SENTRY_JWT_PREFIX, generate_token, parse_token | ||
|
||
|
||
class OrgAuthTokenJwtTest(TestCase): | ||
def test_generate_token(self): | ||
token = generate_token("test-org", "https://test-region.sentry.io") | ||
|
||
assert token | ||
assert token.startswith(SENTRY_JWT_PREFIX) | ||
|
||
def test_parse_token(self): | ||
token = generate_token("test-org", "https://test-region.sentry.io") | ||
token_payload = parse_token(token) | ||
|
||
assert token_payload["sentry_org"] == "test-org" | ||
assert token_payload["sentry_url"] == "http://testserver" | ||
assert token_payload["sentry_region_url"] == "https://test-region.sentry.io" | ||
assert token_payload["nonce"] | ||
|
||
def test_parse_invalid_token(self): | ||
assert parse_token("invalid-token") is None | ||
|
||
def test_parse_invalid_token_iss(self): | ||
jwt_payload = { | ||
"iss": "invalid.io", | ||
"iat": datetime.utcnow(), | ||
"nonce": "test-nonce", | ||
"sentry_url": "test-site", | ||
"sentry_region_url": "test-site", | ||
"sentry_org": "test-org", | ||
} | ||
|
||
jwt_token = jwt.encode(jwt_payload, "ABC") | ||
token = SENTRY_JWT_PREFIX + jwt_token | ||
|
||
assert parse_token(token) is None | ||
|
||
def test_parse_token_changed_secret(self): | ||
jwt_payload = { | ||
"iss": "sentry.io", | ||
"iat": datetime.utcnow(), | ||
"nonce": "test-nonce", | ||
"sentry_url": "test-site", | ||
"sentry_region_url": "test-site", | ||
"sentry_org": "test-org", | ||
} | ||
|
||
jwt_token = jwt.encode(jwt_payload, "other-secret-here") | ||
token = SENTRY_JWT_PREFIX + jwt_token | ||
|
||
token_payload = parse_token(token) | ||
|
||
assert token_payload["sentry_org"] == "test-org" | ||
assert token_payload["sentry_url"] == "test-site" | ||
assert token_payload["nonce"] | ||
|
||
def test_generate_token_unique(self): | ||
jwt1 = generate_token("test-org", "https://test-region.sentry.io") | ||
jwt2 = generate_token("test-org", "https://test-region.sentry.io") | ||
jwt3 = generate_token("test-org", "https://test-region.sentry.io") | ||
|
||
assert jwt1 | ||
assert jwt2 | ||
assert jwt3 | ||
assert jwt1 != jwt2 | ||
assert jwt2 != jwt3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be use even when the instance is self-hosted/single-tenant?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, valid question... took this from here: https://github.com/getsentry/rfcs/pull/91/files#diff-3109d1f30b4b81085e85d841deafefb0d1b43cc5345c64514475512a4ce9fdeeR94
IMHO it should be something consistent that says "this is from sentry", and not differ when it is self-hosted/single-tenant. Not sure if
sentry.io
is the best value for this then, but I'd say it's fine, maybe (just "Sentry" may also be ambiguous, ...)