Rate limit organization creation (#4080)

* Rate limit organization creation

This adds rate limits to org creation (to prevent abuse from HackerOne kids). They default at 5 per hour.

Author: dcramer

src/sentry/api/endpoints/organization_index.py

@@ -7,14 +7,15 @@
 from rest_framework import serializers, status
 from rest_framework.response import Response
 
-from sentry import roles
+from sentry import features, options, roles
+from sentry.app import ratelimiter
 from sentry.api.base import DocSection, Endpoint
 from sentry.api.bases.organization import OrganizationPermission
 from sentry.api.paginator import DateTimePaginator, OffsetPaginator
 from sentry.api.serializers import serialize
 from sentry.models import (
-    AuditLogEntryEvent, Organization, OrganizationMember, OrganizationStatus,
-    ProjectPlatform
+    AuditLogEntryEvent, Organization, OrganizationMember,
+    OrganizationMemberTeam, OrganizationStatus, ProjectPlatform
 )
 from sentry.search.utils import tokenize_query, in_iexact
 from sentry.utils.apidocs import scenario, attach_scenarios
@@ -32,6 +33,7 @@ class OrganizationSerializer(serializers.Serializer):
     name = serializers.CharField(max_length=64, required=True)
     slug = serializers.RegexField(r'^[a-z0-9_\-]+$', max_length=50,
                                   required=False)
+    defaultTeam = serializers.BooleanField(required=False)
 
 
 class OrganizationIndexEndpoint(Endpoint):
@@ -154,6 +156,20 @@ def post(self, request):
             return Response({'detail': 'This endpoint requires user info'},
                             status=401)
 
+        if not features.has('organizations:create', actor=request.user):
+            return Response({
+                'detail': 'Organizations are not allowed to be created by this user.'
+            }, status=401)
+
+        limit = options.get('api.rate-limit.org-create')
+        if limit and ratelimiter.is_limited(
+            u'org-create:{}'.format(request.user.id),
+            limit=5, window=3600,
+        ):
+            return Response({
+                'detail': 'You are attempting to create too many organizations too quickly.'
+            }, status=429)
+
         serializer = OrganizationSerializer(data=request.DATA)
 
         if serializer.is_valid():
@@ -171,12 +187,23 @@ def post(self, request):
                     status=409,
                 )
 
-            OrganizationMember.objects.create(
-                user=request.user,
+            om = OrganizationMember.objects.create(
                 organization=org,
+                user=request.user,
                 role=roles.get_top_dog().id,
             )
 
+            if result.get('defaultTeam'):
+                team = org.team_set.create(
+                    name=org.name,
+                )
+
+                OrganizationMemberTeam.objects.create(
+                    team=team,
+                    organizationmember=om,
+                    is_active=True
+                )
+
             self.create_audit_entry(
                 request=request,
                 organization=org,

src/sentry/options/defaults.py

@@ -78,3 +78,5 @@
 
 register('auth.ip-rate-limit', default=0, flags=FLAG_ALLOW_EMPTY | FLAG_PRIORITIZE_DISK)
 register('auth.user-rate-limit', default=0, flags=FLAG_ALLOW_EMPTY | FLAG_PRIORITIZE_DISK)
+
+register('api.rate-limit.org-create', default=5, flags=FLAG_ALLOW_EMPTY | FLAG_PRIORITIZE_DISK)

src/sentry/options/manager.py

@@ -194,6 +194,9 @@ def register(self, key, default=None, type=None, flags=DEFAULT_FLAGS,
                  ttl=DEFAULT_KEY_TTL, grace=DEFAULT_KEY_GRACE):
         assert key not in self.registry, 'Option already registered: %r' % key
 
+        if len(key) > 64:
+            raise ValueError('Option key has max length of 64 characters')
+
         # If our default is a callable, execute it to
         # see what value is returns, so we can use that to derive the type
         if not callable(default):

src/sentry/static/sentry/app/options.jsx

@@ -51,6 +51,12 @@ const definitions = [
     placeholder: 'e.g. 10',
     help: t('The maximum number of times an authentication attempt may be made against a single account in a 60 second window.'),
   },
+  {
+    key: 'api.rate-limit.org-create',
+    label: 'Organization Creation Rate Limit',
+    placeholder: 'e.g. 5',
+    help: t('The maximum number of organizations which may be created by a single account in a one hour window.'),
+  },
   {
     key: 'mail.from',
     label: t('Email From'),

src/sentry/static/sentry/app/views/adminSettings.jsx

@@ -15,6 +15,7 @@ const optionsAvailable = [
   'system.rate-limit',
   'auth.ip-rate-limit',
   'auth.user-rate-limit',
+  'api.rate-limit.org-create',
 ];
 
 const SettingsList = React.createClass({
@@ -75,9 +76,10 @@ const SettingsList = React.createClass({
         {fields['system.admin-email']}
         {fields['system.rate-limit']}
 
-        <h4>Authentication</h4>
+        <h4>Security &amp; Abuse</h4>
         {fields['auth.ip-rate-limit']}
         {fields['auth.user-rate-limit']}
+        {fields['api.rate-limit.org-create']}
       </Form>
     );
   }

src/sentry/web/frontend/create_organization.py

@@ -5,22 +5,15 @@
 from django.http import HttpResponseRedirect
 from django.utils.translation import ugettext_lazy as _
 
-from sentry import features, roles
-from sentry.models import (
-    AuditLogEntryEvent, Organization, OrganizationMember,
-    OrganizationMemberTeam
-)
+from sentry import features
+from sentry.api import client
 from sentry.web.frontend.base import BaseView
 
 
-class NewOrganizationForm(forms.ModelForm):
+class NewOrganizationForm(forms.Form):
     name = forms.CharField(label=_('Organization Name'), max_length=200,
         widget=forms.TextInput(attrs={'placeholder': _('My Company')}))
 
-    class Meta:
-        fields = ('name',)
-        model = Organization
-
 
 class CreateOrganizationView(BaseView):
     def get_form(self, request):
@@ -32,35 +25,14 @@ def has_permission(self, request):
     def handle(self, request):
         form = self.get_form(request)
         if form.is_valid():
-            org = form.save()
-
-            om = OrganizationMember.objects.create(
-                organization=org,
-                user=request.user,
-                role=roles.get_top_dog().id,
-            )
-
-            team = org.team_set.create(
-                name=org.name,
-            )
-
-            OrganizationMemberTeam.objects.create(
-                team=team,
-                organizationmember=om,
-                is_active=True
-            )
-
-            self.create_audit_entry(
-                request,
-                organization=org,
-                target_object=org.id,
-                event=AuditLogEntryEvent.ORG_ADD,
-                data=org.get_audit_log_data(),
-            )
+            resp = client.post('/organizations/', data={
+                'name': form.cleaned_data['name'],
+                'defaultTeam': True,
+            }, request=request)
 
-            url = reverse('sentry-create-project', args=[org.slug])
+            url = reverse('sentry-create-project', args=[resp.data['slug']])
 
-            return HttpResponseRedirect('{}?team={}'.format(url, team.slug))
+            return HttpResponseRedirect(url)
 
         context = {
             'form': form,

tests/sentry/web/frontend/test_create_organization.py

@@ -34,9 +34,9 @@ def test_valid_params(self):
             role='owner',
         ).exists()
 
-        team = org.team_set.get()
+        assert org.team_set.exists()
 
         redirect_uri = reverse('sentry-create-project', args=[org.slug])
-        assert resp['Location'] == 'http://testserver%s?team=%s' % (
-            redirect_uri, team.slug,
+        assert resp['Location'] == 'http://testserver%s' % (
+            redirect_uri,
         )