fix(auth): Adding scoping_organization_id to replica (#81213)

Adding scoping_organization_id to both ApiTokenReplica and SystemToken.
The reason is that we want to limit auth tokens that are scoped to a
specific organizations to any other organization.
Context on why we need this is here:
#81193

Author: sentaur-athena

fixtures/backup/model_dependencies/detailed.json

@@ -119,6 +119,11 @@
         "model": "sentry.organization",
         "nullable": true
       },
+      "scoping_organization_id": {
+        "kind": "HybridCloudForeignKey",
+        "model": "sentry.organization",
+        "nullable": true
+      },
       "user_id": {
         "kind": "HybridCloudForeignKey",
         "model": "sentry.user",

migrations_lockfile.txt

@@ -7,7 +7,7 @@ will then be regenerated, and you should be able to merge without conflicts.
 
 feedback: 0004_index_together
 
-hybridcloud: 0016_add_control_cacheversion
+hybridcloud: 0017_add_scoping_organization_apitokenreplica
 
 nodestore: 0002_nodestore_no_dictfield
 

src/sentry/auth/services/auth/model.py

@@ -40,6 +40,7 @@ class RpcApiToken(RpcModel):
     expires_at: datetime.datetime | None = None
     allowed_origins: list[str] = Field(default_factory=list)
     scope_list: list[str] = Field(default_factory=list)
+    scoping_organization_id: int | None = None
 
 
 class RpcMemberSsoState(RpcModel):

src/sentry/auth/services/auth/serial.py

@@ -85,6 +85,7 @@ def serialize_api_token(at: ApiToken) -> RpcApiToken:
         user_id=at.user_id,
         application_id=at.application_id,
         organization_id=at.organization_id,
+        scoping_organization_id=at.scoping_organization_id,
         application_is_active=at.application is None or at.application.is_active,
         token=at.token,
         hashed_token=at.hashed_token,

src/sentry/auth/system.py

@@ -46,6 +46,7 @@ class SystemToken:
     token = "<system.secret-key>"
     application = None
     organization_id = None
+    scoping_organization_id = None
 
     @classmethod
     def from_request(cls, request: HttpRequest, token: str) -> SystemToken | None:

src/sentry/hybridcloud/migrations/0017_add_scoping_organization_apitokenreplica.py

@@ -0,0 +1,36 @@
+# Generated by Django 5.1.1 on 2024-11-22 22:03
+
+from django.db import migrations
+
+import sentry.db.models.fields.hybrid_cloud_foreign_key
+from sentry.new_migrations.migrations import CheckedMigration
+
+
+class Migration(CheckedMigration):
+    # This flag is used to mark that a migration shouldn't be automatically run in production.
+    # This should only be used for operations where it's safe to run the migration after your
+    # code has deployed. So this should not be used for most operations that alter the schema
+    # of a table.
+    # Here are some things that make sense to mark as post deployment:
+    # - Large data migrations. Typically we want these to be run manually so that they can be
+    #   monitored and not block the deploy for a long period of time while they run.
+    # - Adding indexes to large tables. Since this can take a long time, we'd generally prefer to
+    #   run this outside deployments so that we don't block them. Note that while adding an index
+    #   is a schema change, it's completely safe to run the operation after the code has deployed.
+    # Once deployed, run these manually via: https://develop.sentry.dev/database-migrations/#migration-deployment
+
+    is_post_deployment = False
+
+    dependencies = [
+        ("hybridcloud", "0016_add_control_cacheversion"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="apitokenreplica",
+            name="scoping_organization_id",
+            field=sentry.db.models.fields.hybrid_cloud_foreign_key.HybridCloudForeignKey(
+                "sentry.Organization", db_index=True, null=True, on_delete="CASCADE"
+            ),
+        ),
+    ]

src/sentry/hybridcloud/models/apitokenreplica.py

@@ -24,6 +24,9 @@ class ApiTokenReplica(Model, HasApiScopes):
     expires_at = models.DateTimeField(null=True)
     allowed_origins = models.TextField(blank=True, null=True)
     date_added = models.DateTimeField(default=timezone.now)
+    scoping_organization_id = HybridCloudForeignKey(
+        "sentry.Organization", null=True, on_delete="CASCADE"
+    )
 
     class Meta:
         app_label = "hybridcloud"

src/sentry/hybridcloud/services/replica/impl.py

@@ -163,6 +163,7 @@ def upsert_replicated_api_token(self, *, api_token: RpcApiToken, region_name: st
                 "\n".join(api_token.allowed_origins) if api_token.allowed_origins else None
             ),
             user_id=api_token.user_id,
+            scoping_organization_id=api_token.scoping_organization_id,
         )
         handle_replication(ApiToken, destination)
 

tests/sentry/backup/snapshots/test_comparators/test_default_comparators.pysnap

@@ -1,5 +1,5 @@
 ---
-created: '2024-11-21T21:10:04.656611+00:00'
+created: '2024-11-25T20:44:29.207064+00:00'
 creator: sentry
 source: tests/sentry/backup/test_comparators.py
 ---
@@ -33,6 +33,7 @@ source: tests/sentry/backup/test_comparators.py
     - apitoken_id
     - application_id
     - organization
+    - scoping_organization_id
     - user_id
   model_name: hybridcloud.apitokenreplica
 - comparators: