feat: add oidc auth

Author: Kl0ven

commitlint.config.js

@@ -11,7 +11,6 @@ const scope = [
 module.exports = {
   extends: ["@commitlint/config-angular"],
   rules: {
-    "body-empty": [2, "never", false],
     "scope-enum": [2, "always", scope],
   },
 };

controller/sentry/admin.py

@@ -5,6 +5,7 @@
     confirm_action,
 )
 from django.contrib import admin
+from django.contrib.auth import get_permission_codename
 from django.db import models
 from django.utils import timezone
 from django_better_admin_arrayfield.admin.mixins import DynamicArrayMixin
@@ -73,8 +74,8 @@ class AppAdmin(
             },
         ],
     ]
-
-    changelist_actions = ["bump"]
+    actions = ["bump"]
+    changelist_actions = []
     change_actions = ["bump"]
 
     @takes_instance_or_queryset
@@ -88,6 +89,14 @@ def bump(self, request, queryset, form: BumpForm = None):
             active_window_end=new_date,
         )
 
+    bump.allowed_permissions = ("bump_sample_rate",)
+
+    def has_bump_sample_rate_permission(self, request):
+        """Does the user have the bump permission?"""
+        opts = self.opts
+        codename = get_permission_codename("bump_sample_rate", opts)
+        return request.user.has_perm("%s.%s" % (opts.app_label, codename))
+
     def save_model(self, request, obj, form, change) -> None:
         invalidate_cache(f"/sentry/apps/{obj.reference}/")
         return super().save_model(request, obj, form, change)

controller/sentry/auth.py

@@ -0,0 +1,33 @@
+from django.conf import settings
+from django.contrib.auth.models import Group
+from mozilla_django_oidc.auth import OIDCAuthenticationBackend
+
+DEVELOPER_GROUP = Group.objects.get(name=settings.DEVELOPER_GROUP)
+
+
+class ControllerOIDCAuthenticationBackend(OIDCAuthenticationBackend):
+    def create_user(self, claims):
+        user = super().create_user(claims)
+        self._set_username(user, claims)
+        self._set_perms(user)
+        user.save()
+
+        return user
+
+    def update_user(self, user, claims):
+        self._set_username(user, claims)
+        self._set_perms(user)
+        user.save()
+
+        return user
+
+    def _set_username(self, user, claims):
+        email = claims.get("email")
+        username = email.split("@")[0]
+        user.username = claims.get("preferred_username") or username
+        user.first_name = claims.get("given_name", "")
+        user.last_name = claims.get("family_name", "")
+
+    def _set_perms(self, user):
+        user.is_staff = True
+        user.groups.add(DEVELOPER_GROUP)

controller/sentry/fixtures/groups.json

@@ -0,0 +1,75 @@
+[
+  {
+    "model": "auth.group",
+    "pk": 1,
+    "fields": {
+      "name": "Developer",
+      "permissions": [
+        29,
+        28
+      ]
+    }
+  },
+  {
+    "model": "auth.group",
+    "pk": 2,
+    "fields": {
+      "name": "Admin",
+      "permissions": [
+        25,
+        29,
+        26,
+        27,
+        28
+      ]
+    }
+  },
+  {
+    "model": "auth.group",
+    "pk": 3,
+    "fields": {
+      "name": "Owner",
+      "permissions": [
+        1,
+        2,
+        3,
+        4,
+        9,
+        10,
+        11,
+        12,
+        5,
+        6,
+        7,
+        8,
+        13,
+        14,
+        15,
+        16,
+        17,
+        18,
+        19,
+        20,
+        25,
+        29,
+        26,
+        27,
+        28,
+        21,
+        22,
+        23,
+        24
+      ]
+    }
+  },
+  {
+    "model": "auth.group",
+    "pk": 4,
+    "fields": {
+      "name": "Viewer",
+      "permissions": [
+        28
+      ]
+    }
+  }
+]

controller/sentry/forms.py

@@ -1,8 +1,27 @@
+from django.conf import settings
+from django.core.exceptions import ValidationError
 from django.forms import DurationField, FloatField, Form
-
-# WIDGET
+from durationwidget.widgets import TimeDurationWidget
 
 
 class BumpForm(Form):
     new_sample_rate = FloatField(help_text="Sample rate between 0 and 1")
-    duration = DurationField(help_text="Duration in second")
+    duration = DurationField(
+        widget=TimeDurationWidget(show_days=False, show_seconds=False),
+        help_text="Duration",
+    )
+
+    def clean_new_sample_rate(self):
+        data = self.cleaned_data["new_sample_rate"]
+        if data < 0 or data > 1:
+            raise ValidationError("new_sample_rate must be between 0 and 1")
+        return data
+
+    def clean_duration(self):
+        data = self.cleaned_data["duration"]
+        if (
+            data.total_seconds() < 0
+            or data.total_seconds() > settings.MAX_BUMP_TIME_SEC
+        ):
+            raise ValidationError("duration must be between 0 and 600")
+        return data

controller/sentry/migrations/0006_alter_app_options.py

@@ -0,0 +1,22 @@
+# Generated by Django 4.1.5 on 2023-01-12 12:39
+
+from django.db import migrations
+
+from controller.sentry.migrations import ImportFixture
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("sentry", "0005_alter_app_celery_metrics_alter_app_wsgi_metrics"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="app",
+            options={"permissions": [("bump_sample_rate_app", "Can bump sample rate")]},
+        ),
+        migrations.RunPython(
+            *ImportFixture("controller/sentry/fixtures/groups.json")()
+        ),
+    ]

controller/sentry/migrations/__init__.py

@@ -0,0 +1,38 @@
+from django.core import serializers
+
+
+class ImportFixture:
+    def __init__(self, *files) -> None:
+        self.files = files
+        self.format = format
+
+    def __call__(self):
+        return self.load_fixture, self.unload_fixture
+
+    def get_objects(self):
+        for file in self.files:
+            with open(file) as fixture:
+                objects = serializers.deserialize(
+                    "json", fixture, ignorenonexistent=True
+                )
+                for obj in objects:
+                    yield obj
+
+    def load_fixture(self, apps, schema_editor):
+        for obj in self.get_objects():
+            obj.save()
+
+    def unload_fixture(self, apps, schema_editor):
+        for obj in self.get_objects():
+            model = apps.get_model(obj.object._meta.label)
+            kwargs = dict()
+            if "id" in obj.object.__dict__:
+                kwargs.update(id=obj.object.__dict__.get("id"))
+            elif "slug" in obj.object.__dict__:
+                kwargs.update(slug=obj.object.__dict__.get("slug"))
+            else:
+                kwargs.update(**obj.object.__dict__)
+            try:
+                model.objects.get(**kwargs).delete()
+            except model.DoesNotExist:
+                pass

controller/sentry/models.py

@@ -53,3 +53,6 @@ def merge(self, validated_data):
         merger = MERGER[validated_data["type"]]
         merger(self, validated_data["data"])
         self.last_seen = timezone.now()
+
+    class Meta:
+        permissions = [("bump_sample_rate_app", "Can bump sample rate")]

controller/sentry/utils.py

@@ -15,11 +15,12 @@ def invalidate_cache(path=""):
     """
 
     # Bootstrap request:
-    #   request.path should point to the view endpoint you want to invalidate
-    #   request.META must include the correct SERVER_NAME and SERVER_PORT as django uses these in order
-    #   to build a MD5 hashed value for the cache_key. Similarly, we need to artificially set the
-    #   language code on the request to 'en-us' to match the initial creation of the cache_key.
-    #   YMMV regarding the language code.
+    # request.path should point to the view endpoint you want to invalidate
+    # request.META must include the correct
+    # SERVER_NAME and SERVER_PORT as django uses these in order
+    # to build a MD5 hashed value for the cache_key. Similarly, we need to artificially set the
+    # language code on the request to 'en-us' to match the initial creation of the cache_key.
+    # YMMV regarding the language code.
     request = HttpRequest()
     request.META = settings.CACHE_META_INVALIDATION
     request.LANGUAGE_CODE = "en-us"

controller/settings.py

@@ -34,6 +34,7 @@
     "admin_action_tools",
     "django.contrib.admin",
     "django.contrib.auth",
+    "mozilla_django_oidc",
     "django.contrib.contenttypes",
     "django.contrib.sessions",
     "django.contrib.messages",
@@ -43,9 +44,35 @@
     "widget_tweaks",
     "django_better_admin_arrayfield",
     "django_json_widget",
+    "durationwidget",
     "controller.sentry",
 ]
 
+AUTHENTICATION_BACKENDS = (
+    # "django.contrib.auth.backends.ModelBackend",
+    "controller.sentry.auth.ControllerOIDCAuthenticationBackend",
+)
+
+OIDC_RP_CLIENT_ID = os.getenv("OIDC_RP_CLIENT_ID")
+OIDC_RP_CLIENT_SECRET = os.getenv("OIDC_RP_CLIENT_SECRET")
+# "<URL of the OIDC OP authorization endpoint>"
+OIDC_OP_AUTHORIZATION_ENDPOINT = os.getenv("OIDC_OP_AUTHORIZATION_ENDPOINT")
+# "<URL of the OIDC OP token endpoint>"
+OIDC_OP_TOKEN_ENDPOINT = os.getenv("OIDC_OP_TOKEN_ENDPOINT")
+# "<URL of the OIDC OP userinfo endpoint>"
+OIDC_OP_USER_ENDPOINT = os.getenv("OIDC_OP_USER_ENDPOINT")
+# "<URL path to redirect to after login>"
+LOGIN_REDIRECT_URL = os.getenv("LOGIN_REDIRECT_URL")
+# "<URL path to redirect to after logout>"
+LOGOUT_REDIRECT_URL = os.getenv("LOGOUT_REDIRECT_URL")
+
+OIDC_RP_SIGN_ALGO = os.getenv("OIDC_RP_SIGN_ALGO", "RS256")
+
+OIDC_OP_JWKS_ENDPOINT = os.getenv("OIDC_OP_JWKS_ENDPOINT")
+
+
+DEVELOPER_GROUP = os.getenv("DEVELOPER_GROUP", "Developer")
+
 
 MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",
@@ -165,3 +192,8 @@
     "SERVER_PORT": int(os.getenv("CACHE_META_SERVER_PORT", "8000")),
     "HTTP_ACCEPT": os.getenv("CACHE_META_HTTP_ACCEPT", "*/*"),
 }
+
+
+MAX_BUMP_TIME_SEC = int(os.getenv("MAX_BUMP_TIME_SEC", "0"))
+if MAX_BUMP_TIME_SEC == 0:
+    MAX_BUMP_TIME_SEC = 30 * 60  # 30 minutes