Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(auth): Return auth error if application is requesting a wrong org #81193

Open
wants to merge 4 commits into
base: athena/add-scoping-org-to-all
Choose a base branch
from
Open

feat(auth): Return auth error if application is requesting a wrong org #81193

wants to merge 4 commits into from

Conversation

sentaur-athena
Copy link
Member

@sentaur-athena sentaur-athena commented Nov 22, 2024
edited
Loading

If an application is organization scope application, their tokens will only have access to one organization of a user. So we should return auth error if:

  1. They're calling an API on an organization that is not the same as the org in the token
  2. They're calling an API that is not limited to one organization, for example list all user's project

In a previous PR I added some logging to make sure this doesn't break other integrations. It actually does, so I have to limit this to token.scoping_organization_id vs token.organization_id

@sentaur-athena sentaur-athena requested review from a team as code owners November 22, 2024 18:04
@sentaur-athena sentaur-athena marked this pull request as draft November 22, 2024 18:04
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Nov 22, 2024
@sentaur-athena sentaur-athena requested review from markstory, a team and mdtro November 22, 2024 18:04
@sentaur-athena sentaur-athena marked this pull request as ready for review November 22, 2024 19:59
markstory
markstory reviewed Nov 22, 2024
View reviewed changes
src/sentry/api/authentication.py
@@ -422,7 +423,7 @@ def authenticate_token(self, request: Request, token_str: str) -> tuple[Any, Any
if application_is_inactive:
raise AuthenticationFailed("UserApplication inactive or deleted")

if token.organization_id:
if token.scoping_organization_id:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SystemToken and ApiTokenReplica types don't have scoping_organization_id attributes. I think you'd need to make sure that attribute exists first.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@markstory I added it to ApiTokenReplica below in src/sentry/auth/services/auth/serial.py

Why does SystemToken need it? 🤔

Copy link
Member Author

@sentaur-athena sentaur-athena Nov 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh got it. I need to add it to the model. But maybe skip the check for systemtoken? I don't see a case where this will used in system token at all so we want this line to skip.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added both in #81213

@codecov Codecov
Copy link

codecov bot commented Nov 22, 2024
edited
Loading

❌ 2 Tests Failed:

Tests completed Failed Passed Skipped
23159 2 23157 215
View the top 2 failed tests by shortest run time 
tests.sentry.backup.test_dependencies::test_detailed
Stack Traces | 0.234s run time 
#x1B[1m#x1B[.../sentry/backup/test_dependencies.py#x1B[0m:54: in test_detailed
    assert_model_dependencies(expect, actual)
#x1B[1m#x1B[.../sentry/backup/test_dependencies.py#x1B[0m:42: in assert_model_dependencies
    raise AssertionError(
#x1B[1m#x1B[31mE   AssertionError: Model dependency graph does not match fixture. This means that you have changed the model dependency graph in some load bearing way. If you are seeing this in CI, and the dependency changes are intentional, please run `bin/generate-model-dependency-fixtures` and re-upload:#x1B[0m
#x1B[1m#x1B[31mE   #x1B[0m
#x1B[1m#x1B[31mE   --- #x1B[0m
#x1B[1m#x1B[31mE   #x1B[0m
#x1B[1m#x1B[31mE   +++ #x1B[0m
#x1B[1m#x1B[31mE   #x1B[0m
#x1B[1m#x1B[31mE   @@ -116,6 +116,11 @@#x1B[0m
#x1B[1m#x1B[31mE   #x1B[0m
#x1B[1m#x1B[31mE          },#x1B[0m
#x1B[1m#x1B[31mE          "organization": {#x1B[0m
#x1B[1m#x1B[31mE            "kind": "FlexibleForeignKey",#x1B[0m
#x1B[1m#x1B[31mE   +        "model": "sentry.organization",#x1B[0m
#x1B[1m#x1B[31mE   +        "nullable": true#x1B[0m
#x1B[1m#x1B[31mE   +      },#x1B[0m
#x1B[1m#x1B[31mE   +      "scoping_organization_id": {#x1B[0m
#x1B[1m#x1B[31mE   +        "kind": "HybridCloudForeignKey",#x1B[0m
#x1B[1m#x1B[31mE            "model": "sentry.organization",#x1B[0m
#x1B[1m#x1B[31mE            "nullable": true#x1B[0m
#x1B[1m#x1B[31mE          },#x1B[0m
tests.sentry.backup.test_comparators::test_default_comparators
Stack Traces | 0.396s run time 
#x1B[1m#x1B[.../sentry/backup/test_comparators.py#x1B[0m:2162: in test_default_comparators
    insta_snapshot(serialized)
#x1B[1m#x1B[31mE   Failed: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#x1B[0m
#x1B[1m#x1B[31mE   Snapshot .../snapshots/test_comparators/test_default_comparators.pysnap changed!#x1B[0m
#x1B[1m#x1B[31mE   #x1B[0m
#x1B[1m#x1B[31mE   #x1B[0m
#x1B[1m#x1B[31mE   Re-run pytest with SENTRY_SNAPSHOTS_WRITEBACK=new and then use 'make review-python-snapshots' to review.#x1B[0m
#x1B[1m#x1B[31mE   #x1B[0m
#x1B[1m#x1B[31mE   Or: Use SENTRY_SNAPSHOTS_WRITEBACK=1 to update snapshots directly.#x1B[0m
#x1B[1m#x1B[31mE   #x1B[0m
#x1B[1m#x1B[31mE   #x1B[0m
#x1B[1m#x1B[31mE   --- #x1B[0m
#x1B[1m#x1B[31mE   #x1B[0m
#x1B[1m#x1B[31mE   +++ #x1B[0m
#x1B[1m#x1B[31mE   #x1B[0m
#x1B[1m#x1B[31mE   @@ -28,6 +28,7 @@#x1B[0m
#x1B[1m#x1B[31mE   #x1B[0m
#x1B[1m#x1B[31mE        - apitoken_id#x1B[0m
#x1B[1m#x1B[31mE        - application_id#x1B[0m
#x1B[1m#x1B[31mE        - organization#x1B[0m
#x1B[1m#x1B[31mE   +    - scoping_organization_id#x1B[0m
#x1B[1m#x1B[31mE        - user_id#x1B[0m
#x1B[1m#x1B[31mE      model_name: hybridcloud.apitokenreplica#x1B[0m
#x1B[1m#x1B[31mE    - comparators:#x1B[0m
#x1B[1m#x1B[31mE   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#x1B[0m

To view more test analytics, go to the Test Analytics Dashboard
Got feedback? Let us know on Github

@sentaur-athena sentaur-athena mentioned this pull request Nov 22, 2024
Open
@sentaur-athena sentaur-athena changed the base branch from master to athena/add-scoping-org-to-all November 22, 2024 21:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markstory markstory markstory left review comments

@mdtro mdtro Awaiting requested review from mdtro

Assignees
No one assigned
Labels
Scope: Backend Automatically applied to PRs that change backend components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sentaur-athena @markstory