-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
/
oauth_authorize.py
349 lines (313 loc) · 12.2 KB
/
oauth_authorize.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
import logging
from urllib.parse import parse_qsl, urlencode, urlparse, urlunparse
from django.conf import settings
from django.db import IntegrityError, router, transaction
from django.http import HttpRequest
from django.http.response import HttpResponseBase
from django.utils import timezone
from django.utils.safestring import mark_safe
from sentry.models.apiapplication import ApiApplication, ApiApplicationStatus
from sentry.models.apiauthorization import ApiAuthorization
from sentry.models.apigrant import ApiGrant
from sentry.models.apitoken import ApiToken
from sentry.utils import metrics
from sentry.web.frontend.auth_login import AuthLoginView
logger = logging.getLogger("sentry.api.oauth_authorize")
class OAuthAuthorizeView(AuthLoginView):
auth_required = False
def get_next_uri(self, request: HttpRequest):
return request.get_full_path()
def redirect_response(self, response_type, redirect_uri, params):
if response_type == "token":
return self.redirect(
"{}#{}".format(
redirect_uri,
urlencode([(k, v) for k, v in params.items() if v is not None]),
)
)
parts = list(urlparse(redirect_uri))
query = parse_qsl(parts[4])
for key, value in params.items():
if value is not None:
query.append((key, value))
parts[4] = urlencode(query)
return self.redirect(urlunparse(parts))
def error(
self,
request,
response_type,
redirect_uri,
name,
state=None,
client_id=None,
err_response=None,
):
logging.error(
"oauth.authorize-error",
extra={
"error_name": name,
"response_type": response_type,
"client_id": client_id,
"redirect_uri": redirect_uri,
},
)
if err_response:
return self.respond(
"sentry/oauth-error.html",
{"error": mark_safe(f"Missing or invalid <em>{err_response}</em> parameter.")},
status=400,
)
return self.redirect_response(response_type, redirect_uri, {"error": name, "state": state})
def respond_login(self, request: HttpRequest, context, application, **kwargs):
context["banner"] = f"Connect Sentry to {application.name}"
return self.respond("sentry/login.html", context)
def get(self, request: HttpRequest, **kwargs) -> HttpResponseBase:
response_type = request.GET.get("response_type")
client_id = request.GET.get("client_id")
redirect_uri = request.GET.get("redirect_uri")
scopes = request.GET.get("scope")
state = request.GET.get("state")
force_prompt = request.GET.get("force_prompt")
if not client_id:
return self.error(
request=request,
client_id=client_id,
response_type=response_type,
redirect_uri=redirect_uri,
name="unauthorized_client",
err_response="client_id",
)
try:
application = ApiApplication.objects.get(
client_id=client_id, status=ApiApplicationStatus.active
)
except ApiApplication.DoesNotExist:
return self.error(
request=request,
client_id=client_id,
response_type=response_type,
redirect_uri=redirect_uri,
name="unauthorized_client",
err_response="client_id",
)
if not redirect_uri:
redirect_uri = application.get_default_redirect_uri()
elif not application.is_valid_redirect_uri(redirect_uri):
return self.error(
request=request,
client_id=client_id,
response_type=response_type,
redirect_uri=redirect_uri,
name="invalid_request",
err_response="redirect_uri",
)
if not application.is_allowed_response_type(response_type):
return self.error(
request=request,
client_id=client_id,
response_type=response_type,
redirect_uri=redirect_uri,
name="unsupported_response_type",
err_response="client_id",
)
if scopes:
scopes = scopes.split(" ")
for scope in scopes:
if scope not in settings.SENTRY_SCOPES:
return self.error(
request=request,
client_id=client_id,
response_type=response_type,
redirect_uri=redirect_uri,
name="invalid_scope",
state=state,
)
else:
scopes = []
payload = {
"rt": response_type,
"cid": client_id,
"ru": redirect_uri,
"sc": scopes,
"st": state,
"uid": request.user.id if request.user.is_authenticated else "",
}
request.session["oa2"] = payload
if not request.user.is_authenticated:
return super().get(request, application=application)
if not force_prompt:
try:
existing_auth = ApiAuthorization.objects.get(
user_id=request.user.id, application=application
)
except ApiAuthorization.DoesNotExist:
pass
else:
# if we've already approved all of the required scopes
# we can skip prompting the user
if all(existing_auth.has_scope(s) for s in scopes):
return self.approve(
request=request,
application=application,
scopes=scopes,
response_type=response_type,
redirect_uri=redirect_uri,
state=state,
)
payload = {
"rt": response_type,
"cid": client_id,
"ru": redirect_uri,
"sc": scopes,
"st": state,
"uid": request.user.id,
}
request.session["oa2"] = payload
permissions = []
if scopes:
pending_scopes = set(scopes)
matched_sets = set()
for scope_set in settings.SENTRY_SCOPE_SETS:
for scope, description in scope_set:
if scope_set in matched_sets and scope in pending_scopes:
pending_scopes.remove(scope)
elif scope in pending_scopes:
permissions.append(description)
matched_sets.add(scope_set)
pending_scopes.remove(scope)
if pending_scopes:
raise NotImplementedError(f"{pending_scopes} scopes did not have descriptions")
context = {
"user": request.user,
"application": application,
"scopes": scopes,
"permissions": permissions,
}
return self.respond("sentry/oauth-authorize.html", context)
def post(self, request: HttpRequest, **kwargs) -> HttpResponseBase:
try:
payload = request.session["oa2"]
except KeyError:
return self.respond(
"sentry/oauth-error.html",
{
"error": "We were unable to complete your request. Please re-initiate the authorization flow."
},
)
try:
application = ApiApplication.objects.get(
client_id=payload["cid"], status=ApiApplicationStatus.active
)
except ApiApplication.DoesNotExist:
return self.respond(
"sentry/oauth-error.html",
{"error": mark_safe("Missing or invalid <em>client_id</em> parameter.")},
)
if not request.user.is_authenticated:
response = super().post(request, application=application, **kwargs)
# once they login, bind their user ID
if request.user.is_authenticated:
request.session["oa2"]["uid"] = request.user.id
request.session.modified = True
return response
if payload["uid"] != request.user.id:
return self.respond(
"sentry/oauth-error.html",
{
"error": "We were unable to complete your request. Please re-initiate the authorization flow."
},
)
response_type = payload["rt"]
redirect_uri = payload["ru"]
scopes = payload["sc"]
op = request.POST.get("op")
if op == "approve":
return self.approve(
request=request,
application=application,
scopes=scopes,
response_type=response_type,
redirect_uri=redirect_uri,
state=payload["st"],
)
elif op == "deny":
return self.error(
request=request,
client_id=payload["cid"],
response_type=response_type,
redirect_uri=redirect_uri,
name="access_denied",
state=payload["st"],
)
else:
raise NotImplementedError
def approve(self, request: HttpRequest, application, **params):
try:
with transaction.atomic(router.db_for_write(ApiAuthorization)):
ApiAuthorization.objects.create(
application=application, user_id=request.user.id, scope_list=params["scopes"]
)
except IntegrityError:
if params["scopes"]:
auth = ApiAuthorization.objects.get(
application=application, user_id=request.user.id
)
for scope in params["scopes"]:
if scope not in auth.scope_list:
auth.scope_list.append(scope)
auth.save()
metrics.incr(
"oauth_authorize.get.approve",
sample_rate=1.0,
tags={
"response_type": params["response_type"],
},
)
if params["response_type"] == "code":
grant = ApiGrant.objects.create(
user_id=request.user.id,
application=application,
redirect_uri=params["redirect_uri"],
scope_list=params["scopes"],
)
logger.info(
"approve.grant",
extra={
"response_type": params["response_type"],
"redirect_uri": params["redirect_uri"],
"scope": params["scopes"],
},
)
return self.redirect_response(
params["response_type"],
params["redirect_uri"],
{"code": grant.code, "state": params["state"]},
)
elif params["response_type"] == "token":
token = ApiToken.objects.create(
application=application,
user_id=request.user.id,
refresh_token=None,
scope_list=params["scopes"],
)
logger.info(
"approve.token",
extra={
"response_type": params["response_type"],
"redirect_uri": params["redirect_uri"],
"scope": " ".join(token.get_scopes()),
"state": params["state"],
},
)
return self.redirect_response(
params["response_type"],
params["redirect_uri"],
{
"access_token": token.token,
"expires_in": int((timezone.now() - token.expires_at).total_seconds()),
"expires_at": token.expires_at.strftime("%Y-%m-%dT%H:%M:%S.%fZ"),
"token_type": "bearer",
"scope": " ".join(token.get_scopes()),
"state": params["state"],
},
)