Beispiel #1
0
    def test_anonymous_user(self):
        user = self.create_user()
        anon_user = AnonymousUser()
        organization = self.create_organization(owner=user)
        result = access.from_user(anon_user, organization)

        assert not result.is_active
Beispiel #2
0
def get_default_context(request, existing_context=None, team=None):
    from sentry.plugins import plugins

    context = {
        'EVENTS_PER_PAGE': EVENTS_PER_PAGE,
        'URL_PREFIX': settings.SENTRY_URL_PREFIX,
        'SINGLE_ORGANIZATION': settings.SENTRY_SINGLE_ORGANIZATION,
        'PLUGINS': plugins,
        'ALLOWED_HOSTS': settings.ALLOWED_HOSTS,
        'SENTRY_RAVEN_JS_URL': settings.SENTRY_RAVEN_JS_URL,
    }

    if existing_context:
        if team is None and 'team' in existing_context:
            team = existing_context['team']

        if 'project' in existing_context:
            project = existing_context['project']
        else:
            project = None
    else:
        project = None

    if team:
        organization = team.organization
    elif project:
        organization = project.organization
    else:
        organization = None

    if request:
        context.update({
            'request': request,
        })

        if (not existing_context or 'TEAM_LIST' not in existing_context) and team:
            context['TEAM_LIST'] = Team.objects.get_for_user(
                organization=team.organization,
                user=request.user,
                with_projects=True,
            )

        user = request.user
    else:
        user = AnonymousUser()

    if organization:
        context['selectedOrganization'] = serialize(organization, user)
    if team:
        context['selectedTeam'] = serialize(team, user)
    if project:
        context['selectedProject'] = serialize(project, user)

    if not existing_context or 'ACCESS' not in existing_context:
        context['ACCESS'] = access.from_user(
            user=user,
            organization=organization,
        ).to_django_context()

    return context
Beispiel #3
0
    def delete(self, request, *args, **kwargs):
        """
        Logout the Authenticated User
        `````````````````````````````

        Deauthenticate the currently active session.
        """
        logout(request._request)
        request.user = AnonymousUser()
        return Response(status=204)
Beispiel #4
0
    def authenticate_credentials(self, userid, password):
        try:
            pk = ProjectKey.objects.get_from_cache(public_key=userid)
        except ProjectKey.DoesNotExist:
            return None

        if not constant_time_compare(pk.secret_key, password):
            return None

        if not pk.is_active:
            raise AuthenticationFailed('Key is disabled')

        if not pk.roles.api:
            raise AuthenticationFailed('Key does not allow API access')

        return (AnonymousUser(), pk)
Beispiel #5
0
    def authenticate_credentials(self, userid, password):
        if password:
            return

        try:
            key = ApiKey.objects.get_from_cache(key=userid)
        except ApiKey.DoesNotExist:
            return None

        if not key.is_active:
            raise AuthenticationFailed('Key is disabled')

        raven.tags_context({
            'api_key': userid,
        })

        return (AnonymousUser(), key)
Beispiel #6
0
    def _dispatch(self,
                  request,
                  helper,
                  project_id=None,
                  origin=None,
                  *args,
                  **kwargs):
        # NOTE: We need to override the auth flow for a CSP report!
        # A CSP report is sent as a POST request with no Origin or Referer
        # header. What we're left with is a 'document-uri' key which is
        # inside of the JSON body of the request. This 'document-uri' value
        # should be treated as an origin check since it refers to the page
        # that triggered the report. The Content-Type is supposed to be
        # `application/csp-report`, but FireFox sends it as `application/json`.
        if request.method != 'POST':
            return HttpResponseNotAllowed(['POST'])

        if request.META.get('CONTENT_TYPE') not in self.content_types:
            raise APIError('Invalid Content-Type')

        request.user = AnonymousUser()

        project = self._get_project_from_id(project_id)
        helper.context.bind_project(project)
        Raven.tags_context(helper.context.get_tags_context())

        # This is yanking the auth from the querystring since it's not
        # in the POST body. This means we expect a `sentry_key` and
        # `sentry_version` to be set in querystring
        auth = self._parse_header(request, helper, project)

        project_ = helper.project_from_auth(auth)
        if project_ != project:
            raise APIError('Two different project were specified')

        helper.context.bind_auth(auth)
        Raven.tags_context(helper.context.get_tags_context())

        return super(APIView, self).dispatch(request=request,
                                             project=project,
                                             auth=auth,
                                             helper=helper,
                                             **kwargs)
Beispiel #7
0
def serialize(objects, user=None, serializer=None):
    if user is None:
        user = AnonymousUser()

    if not objects:
        return objects
    elif not isinstance(objects, (list, tuple)):
        return serialize([objects], user=user, serializer=serializer)[0]

    # elif isinstance(obj, dict):
    #     return dict((k, serialize(v, request=request)) for k, v in obj.iteritems())
    if serializer is None:
        try:
            serializer = registry[type(objects[0])]
        except KeyError:
            return objects

    attrs = serializer.get_attrs(item_list=objects, user=user)
    return [serializer(o, attrs=attrs.get(o, {}), user=user) for o in objects]
Beispiel #8
0
    def _dispatch(self, request, helper, project_id=None, origin=None,
                  *args, **kwargs):
        request.user = AnonymousUser()

        project = self._get_project_from_id(project_id)
        if project:
            helper.context.bind_project(project)
            Raven.tags_context(helper.context.get_tags_context())

        if origin is not None:
            # This check is specific for clients who need CORS support
            if not project:
                raise APIError('Client must be upgraded for CORS support')
            if not is_valid_origin(origin, project):
                raise APIForbidden('Invalid origin: %s' % (origin,))

        # XXX: It seems that the OPTIONS call does not always include custom headers
        if request.method == 'OPTIONS':
            response = self.options(request, project)
        else:
            auth = self._parse_header(request, helper, project)

            project_ = helper.project_from_auth(auth)

            # Legacy API was /api/store/ and the project ID was only available elsewhere
            if not project:
                if not project_:
                    raise APIError('Unable to identify project')
                project = project_
            elif project_ != project:
                raise APIError('Two different project were specified')

            helper.context.bind_auth(auth)
            Raven.tags_context(helper.context.get_tags_context())

            if auth.version != '2.0':
                if request.method == 'GET':
                    # GET only requires an Origin/Referer check
                    # If an Origin isn't passed, it's possible that the project allows no origin,
                    # so we need to explicitly check for that here. If Origin is not None,
                    # it can be safely assumed that it was checked previously and it's ok.
                    if origin is None and not is_valid_origin(origin, project):
                        # Special case an error message for a None origin when None wasn't allowed
                        raise APIForbidden('Missing required Origin or Referer header')
                else:
                    # Version 3 enforces secret key for server side requests
                    if not auth.secret_key:
                        raise APIForbidden('Missing required attribute in authentication header: sentry_secret')

            response = super(APIView, self).dispatch(
                request=request,
                project=project,
                auth=auth,
                helper=helper,
                **kwargs
            )

        if origin:
            response['Access-Control-Allow-Origin'] = origin

        return response
Beispiel #9
0
    def handle(self, request):
        logout(request)
        request.user = AnonymousUser()

        return self.redirect(reverse('sentry'))
Beispiel #10
0
 def test_anonymous_user(self, get_project_list):
     get_project_list.return_value = []
     self.group.is_public = True
     result = group_is_public(self.group, AnonymousUser())
     assert result is True
Beispiel #11
0
 def process_request(self, request):
     super(AuthenticationMiddleware, self).process_request(request)
     if not request.user.is_authenticated():
         # swap in our custom class
         request.user = AnonymousUser()
Beispiel #12
0
 def handle(self, request):
     rv = get_login_redirect(request)
     logout(request)
     request.user = AnonymousUser()
     return self.redirect(rv)