Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(auth): Return auth error if application is requesting a wrong org #81193

Merged
merged 5 commits into from
Nov 26, 2024
Merged

feat(auth): Return auth error if application is requesting a wrong org #81193

merged 5 commits into from
Nov 26, 2024

Conversation

sentaur-athena
Copy link
Member

@sentaur-athena sentaur-athena commented Nov 22, 2024
edited
Loading

If an application is organization scope application, their tokens will only have access to one organization of a user. So we should return auth error if:

  1. They're calling an API on an organization that is not the same as the org in the token
  2. They're calling an API that is not limited to one organization, for example list all user's project

In a previous PR I added some logging to make sure this doesn't break other integrations. It actually does, so I have to limit this to token.scoping_organization_id vs token.organization_id

@sentaur-athena sentaur-athena requested review from a team as code owners November 22, 2024 18:04
@sentaur-athena sentaur-athena marked this pull request as draft November 22, 2024 18:04
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Nov 22, 2024
@sentaur-athena sentaur-athena requested review from markstory, a team and mdtro November 22, 2024 18:04
@sentaur-athena sentaur-athena force-pushed the athena/launch-middleware-changes branch from a09ec51 to 9c162e6 Compare November 22, 2024 19:58
@sentaur-athena sentaur-athena marked this pull request as ready for review November 22, 2024 19:59
@codecov Codecov
Copy link

codecov bot commented Nov 22, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 80.00000% with 1 line in your changes missing coverage. Please review.

✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
src/sentry/api/authentication.py 80.00% 1 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #81193   +/-   ##
=======================================
  Coverage   80.35%   80.35%           
=======================================
  Files        7221     7220    -1     
  Lines      319612   319588   -24     
  Branches    20783    20783           
=======================================
- Hits       256821   256802   -19     
+ Misses      62396    62391    -5     
  Partials      395      395

@sentaur-athena sentaur-athena mentioned this pull request Nov 22, 2024
Merged
@sentaur-athena sentaur-athena changed the base branch from master to athena/add-scoping-org-to-all November 22, 2024 21:17
sentaur-athena added a commit that referenced this pull request Nov 25, 2024
@sentaur-athena
fix(auth): Adding scoping_organization_id to replica (#81213)
89d4135 
Adding scoping_organization_id to both ApiTokenReplica and SystemToken.
The reason is that we want to limit auth tokens that are scoped to a
specific organizations to any other organization.
Context on why we need this is here:
#81193
Base automatically changed from athena/add-scoping-org-to-all to master November 25, 2024 21:17
@sentaur-athena sentaur-athena requested a review from a team as a code owner November 25, 2024 21:17
@sentaur-athena sentaur-athena force-pushed the athena/launch-middleware-changes branch from 5901cc4 to 4a5d219 Compare November 25, 2024 21:20
sentaur-athena
sentaur-athena commented Nov 25, 2024
View reviewed changes
src/sentry/api/authentication.py Outdated
)
# We want to limit org scoped tokens access to org level endpoints only
# Or none org level endpoints that we added special treatments for
if resolved_url.url_name not in ["sentry-api-0-organizations"]:
Copy link
Member Author

@sentaur-athena sentaur-athena Nov 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's safe to allowlist usage of this endpoint even though the endpoint is not specific to one organization because this case is already handled in the endpoint code: https://github.com/getsentry/sentry/blob/master/src/sentry/api/endpoints/organization_index.py#L98

So basically if I call this endpoint to list organizations of one person with a token that only has access to one of them the endpoint only returns that one.

I should add it's also important and required to allowlist this endpoint because for a partner who doesn't store any sentry data like organization id, this is the only way to get the organization id they want to query on.

markstory
markstory reviewed Nov 26, 2024
View reviewed changes
src/sentry/api/authentication.py Show resolved Hide resolved
src/sentry/api/authentication.py Outdated Show resolved Hide resolved
src/sentry/api/authentication.py Outdated Show resolved Hide resolved
@sentaur-athena sentaur-athena enabled auto-merge (squash) November 26, 2024 19:57
@sentaur-athena sentaur-athena merged commit bf9592d into master Nov 26, 2024
49 of 50 checks passed
@sentaur-athena sentaur-athena deleted the athena/launch-middleware-changes branch November 26, 2024 19:57
@sentry-io Sentry.io
Copy link

sentry-io bot commented Nov 26, 2024

Suspect Issues

This pull request was deployed and Sentry observed the following issues:

  • ‼️ OperationalError: OperationalError('server closed the connection unexpectedly\n\tThis probably means the server ter... /api/0/projects/{organization_id_or_slug}/{proj... View Issue

Did you find this useful? React with a 👍 or 👎

andrewshie-sentry pushed a commit that referenced this pull request Dec 2, 2024
@sentaur-athena @andrewshie-sentry
fix(auth): Adding scoping_organization_id to replica (#81213)
e5a4e34 
Adding scoping_organization_id to both ApiTokenReplica and SystemToken.
The reason is that we want to limit auth tokens that are scoped to a
specific organizations to any other organization.
Context on why we need this is here:
#81193
andrewshie-sentry pushed a commit that referenced this pull request Dec 2, 2024
@sentaur-athena @andrewshie-sentry
feat(auth): Return auth error if application is requesting a wrong org (
67205b5 
#81193)

If an application is organization scope application, their tokens will
only have access to one organization of a user. So we should return auth
error if:
1. They're calling an API on an organization that is not the same as the
org in the token
2. They're calling an API that is not limited to one organization, for
example list all user's project

[In a previous PR](#80012) I
added some logging to make sure this doesn't break other integrations.
It actually does, so I have to limit this to
token.scoping_organization_id vs token.organization_id
@github-actions github-actions bot locked and limited conversation to collaborators Dec 12, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@markstory markstory markstory approved these changes

@mdtro mdtro Awaiting requested review from mdtro

Assignees
No one assigned
Labels
Scope: Backend Automatically applied to PRs that change backend components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sentaur-athena @markstory