feat(tempest): Endpoint for deleting tempest credentials (#82225)

Endpoint for deletion of tempest credentials, only allowed to org
admins.

Audit log entries will be done as a part of a separate ticket to get to
the PoC as soon as possible

Part of getsentry/team-gdx#52

---------

Signed-off-by: Vjeran Grozdanic <[email protected]>

Author: vgrozdanic

src/sentry/api/urls.py

@@ -314,6 +314,7 @@
     SentryInternalAppTokensEndpoint,
 )
 from sentry.tempest.endpoints.tempest_credentials import TempestCredentialsEndpoint
+from sentry.tempest.endpoints.tempest_credentials_details import TempestCredentialsDetailsEndpoint
 from sentry.uptime.endpoints.project_uptime_alert_details import ProjectUptimeAlertDetailsEndpoint
 from sentry.uptime.endpoints.project_uptime_alert_index import ProjectUptimeAlertIndexEndpoint
 from sentry.users.api.endpoints.authenticator_index import AuthenticatorIndexEndpoint
@@ -2794,6 +2795,11 @@ def create_group_urls(name_prefix: str) -> list[URLPattern | URLResolver]:
         TempestCredentialsEndpoint.as_view(),
         name="sentry-api-0-project-tempest-credentials",
     ),
+    re_path(
+        r"^(?P<organization_id_or_slug>[^\/]+)/(?P<project_id_or_slug>[^\/]+)/tempest-credentials/(?P<tempest_credentials_id>\d+)/$",
+        TempestCredentialsDetailsEndpoint.as_view(),
+        name="sentry-api-0-project-tempest-credentials-details",
+    ),
     *workflow_urls.urlpatterns,
 ]
 

src/sentry/tempest/endpoints/tempest_credentials_details.py

@@ -0,0 +1,34 @@
+from rest_framework.exceptions import NotFound
+from rest_framework.request import Request
+from rest_framework.response import Response
+
+from sentry import features
+from sentry.api.api_owners import ApiOwner
+from sentry.api.api_publish_status import ApiPublishStatus
+from sentry.api.base import region_silo_endpoint
+from sentry.api.bases import ProjectEndpoint
+from sentry.models.project import Project
+from sentry.tempest.models import TempestCredentials
+from sentry.tempest.permissions import TempestCredentialsPermission
+
+
+@region_silo_endpoint
+class TempestCredentialsDetailsEndpoint(ProjectEndpoint):
+    publish_status = {
+        "DELETE": ApiPublishStatus.PRIVATE,
+    }
+    owner = ApiOwner.GDX
+
+    permission_classes = (TempestCredentialsPermission,)
+
+    def has_feature(self, request: Request, project: Project) -> bool:
+        return features.has(
+            "organizations:tempest-access", project.organization, actor=request.user
+        )
+
+    def delete(self, request: Request, project: Project, tempest_credentials_id: int) -> Response:
+        if not self.has_feature(request, project):
+            raise NotFound
+
+        TempestCredentials.objects.filter(project=project, id=tempest_credentials_id).delete()
+        return Response(status=204)

tests/sentry/tempest/endpoints/test_tempest_credentials_details.py

@@ -0,0 +1,60 @@
+from sentry.tempest.models import TempestCredentials
+from sentry.testutils.cases import APITestCase
+from sentry.testutils.helpers.features import Feature
+
+
+class TestTempestCredentialsDetails(APITestCase):
+    endpoint = "sentry-api-0-project-tempest-credentials-details"
+
+    def setUp(self):
+        super().setUp()
+        self.tempest_credentials = self.create_tempest_credentials(self.project)
+
+    def test_cant_access_endpoint_if_feature_flag_is_disabled(self):
+        self.login_as(self.user)
+        response = self.get_response(
+            self.project.organization.slug,
+            self.project.slug,
+            self.tempest_credentials.id,
+            method="DELETE",
+        )
+        assert response.status_code == 404
+
+    def test_cant_access_endpoint_if_user_is_not_authenticated(self):
+        response = self.get_response(
+            self.project.organization.slug,
+            self.project.slug,
+            self.tempest_credentials.id,
+            method="DELETE",
+        )
+        assert response.status_code == 401
+
+    def test_delete_tempest_credentials_as_org_admin(self):
+        with Feature({"organizations:tempest-access": True}):
+            self.login_as(self.user)
+            response = self.get_response(
+                self.project.organization.slug,
+                self.project.slug,
+                self.tempest_credentials.id,
+                method="DELETE",
+            )
+
+        assert response.status_code == 204
+        assert not TempestCredentials.objects.filter(id=self.tempest_credentials.id).exists()
+
+    def test_non_admin_cant_delete_credentials(self):
+        non_admin_user = self.create_user()
+        self.create_member(
+            user=non_admin_user, organization=self.project.organization, role="member"
+        )
+        with Feature({"organizations:tempest-access": True}):
+            self.login_as(non_admin_user)
+            response = self.get_response(
+                self.project.organization.slug,
+                self.project.slug,
+                self.tempest_credentials.id,
+                method="DELETE",
+            )
+
+        assert response.status_code == 403
+        assert TempestCredentials.objects.filter(id=self.tempest_credentials.id).exists()