def test_challenge_response_validation_errors():
with pytest.raises(semaphore.UnpackErrorSignatureExpired):
resp = semaphore.create_register_challenge(
b'{"relay_id":"95dc7c80-6db7-4505-8969-3a0927bfb85d","public_key":"KXxwPvbhadLYTglsiGnQe2lxKLCT4VB2qEDd-OQVLbQ"}',
'EQXKqDYLei5XhDucMDIR3n1khdcOqGWmUWDYhcnvi-OBkW92qfcAMSjSn8xPYDmkB2kLnNNsaFeBx1VifD3TCw.eyJ0IjoiMjAxOC0wMy0wMVQwOTo0NjowNS41NDA0NzdaIn0',
max_age=1)
with pytest.raises(semaphore.UnpackErrorBadPayload):
resp = semaphore.create_register_challenge(
b'{"relay_id":"95dc7c80-6db7-4505-8969-3a0927bfb85d","public_key":"KXxwPvbhadLYTglsiGnQe2lxKLCT4VB2qEDd-OQVLbQ"}glumpat',
'EQXKqDYLei5XhDucMDIR3n1khdcOqGWmUWDYhcnvi-OBkW92qfcAMSjSn8xPYDmkB2kLnNNsaFeBx1VifD3TCw.eyJ0IjoiMjAxOC0wMy0wMVQwOTo0NjowNS41NDA0NzdaIn0',
max_age=1)
def test_challenge_response_validation_errors():
with pytest.raises(semaphore.UnpackErrorSignatureExpired):
semaphore.create_register_challenge(
b'{"relay_id":"95dc7c80-6db7-4505-8969-3a0927bfb85d","public_key":"KXxwPvbhadLYTglsiGnQe2lxKLCT4VB2qEDd-OQVLbQ"}',
"EQXKqDYLei5XhDucMDIR3n1khdcOqGWmUWDYhcnvi-OBkW92qfcAMSjSn8xPYDmkB2kLnNNsaFeBx1VifD3TCw.eyJ0IjoiMjAxOC0wMy0wMVQwOTo0NjowNS41NDA0NzdaIn0",
max_age=1,
)
with pytest.raises(semaphore.UnpackErrorBadPayload):
semaphore.create_register_challenge(
b'{"relay_id":"95dc7c80-6db7-4505-8969-3a0927bfb85d","public_key":"KXxwPvbhadLYTglsiGnQe2lxKLCT4VB2qEDd-OQVLbQ"}glumpat',
"EQXKqDYLei5XhDucMDIR3n1khdcOqGWmUWDYhcnvi-OBkW92qfcAMSjSn8xPYDmkB2kLnNNsaFeBx1VifD3TCw.eyJ0IjoiMjAxOC0wMy0wMVQwOTo0NjowNS41NDA0NzdaIn0",
max_age=1,
)
def test_challenge_response():
resp = semaphore.create_register_challenge(
b'{"relay_id":"95dc7c80-6db7-4505-8969-3a0927bfb85d","public_key":"KXxwPvbhadLYTglsiGnQe2lxKLCT4VB2qEDd-OQVLbQ"}',
"EQXKqDYLei5XhDucMDIR3n1khdcOqGWmUWDYhcnvi-OBkW92qfcAMSjSn8xPYDmkB2kLnNNsaFeBx1VifD3TCw.eyJ0IjoiMjAxOC0wMy0wMVQwOTo0NjowNS41NDA0NzdaIn0",
max_age=0xFFFFFFFF,
)
assert str(resp["public_key"]) == "KXxwPvbhadLYTglsiGnQe2lxKLCT4VB2qEDd-OQVLbQ"
assert resp["relay_id"] == uuid.UUID("95dc7c80-6db7-4505-8969-3a0927bfb85d")
assert len(resp["token"]) > 40
def post(self, request):
"""
Requests to Register a Relay
````````````````````````````
Registers the relay with the sentry installation. If a relay boots
it will always attempt to invoke this endpoint.
"""
try:
json_data = json.loads(request.body)
except ValueError:
return Response({
'detail': 'No valid json body',
}, status=status.HTTP_400_BAD_REQUEST)
serializer = RelayRegisterChallengeSerializer(data=json_data)
if not serializer.is_valid():
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
if not self.check_allowed_relay(request, json_data):
return Response({
'detail': 'Relay is not allowed to register',
}, status=status.HTTP_401_UNAUTHORIZED)
sig = get_header_relay_signature(request)
if not sig:
return Response({
'detail': 'Missing relay signature',
}, status=status.HTTP_400_BAD_REQUEST)
try:
challenge = create_register_challenge(request.body, sig)
except Exception as exc:
return Response({
'detail': str(exc).splitlines()[0],
}, status=status.HTTP_400_BAD_REQUEST)
relay_id = six.text_type(challenge['relay_id'])
if relay_id != get_header_relay_id(request):
return Response({
'detail': 'relay_id in payload did not match header',
}, status=status.HTTP_400_BAD_REQUEST)
try:
relay = Relay.objects.get(relay_id=relay_id)
except Relay.DoesNotExist:
pass
else:
if relay.public_key != six.text_type(challenge['public_key']):
# This happens if we have an ID collision or someone copies an existing id
return Response({
'detail': 'Attempted to register agent with a different public key',
}, status=status.HTTP_400_BAD_REQUEST)
default_cache.set('relay-auth:%s' % relay_id, {
'token': challenge['token'],
'public_key': six.text_type(challenge['public_key']),
}, 60)
return Response(serialize({
'relay_id': six.text_type(challenge['relay_id']),
'token': challenge['token'],
}))
def post(self, request):
"""
Requests to Register a Relay
````````````````````````````
Registers the relay with the sentry installation. If a relay boots
it will always attempt to invoke this endpoint.
"""
try:
json_data = json.loads(request.body)
except ValueError:
return Response({
'detail': 'No valid json body',
}, status=status.HTTP_400_BAD_REQUEST)
serializer = RelayRegisterChallengeSerializer(data=json_data)
if not serializer.is_valid():
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
if not settings.SENTRY_RELAY_OPEN_REGISTRATION and \
not is_internal_relay(request, json_data.get('public_key')):
return Response({
'detail': 'Relay is not allowed to register',
}, status=status.HTTP_401_UNAUTHORIZED)
sig = get_header_relay_signature(request)
if not sig:
return Response({
'detail': 'Missing relay signature',
}, status=status.HTTP_400_BAD_REQUEST)
try:
challenge = create_register_challenge(request.body, sig)
except Exception as exc:
return Response({
'detail': str(exc).splitlines()[0],
}, status=status.HTTP_400_BAD_REQUEST)
relay_id = six.text_type(challenge['relay_id'])
if relay_id != get_header_relay_id(request):
return Response({
'detail': 'relay_id in payload did not match header',
}, status=status.HTTP_400_BAD_REQUEST)
try:
relay = Relay.objects.get(relay_id=relay_id)
except Relay.DoesNotExist:
pass
else:
if relay.public_key != six.text_type(challenge['public_key']):
# This happens if we have an ID collision or someone copies an existing id
return Response({
'detail': 'Attempted to register agent with a different public key',
}, status=status.HTTP_400_BAD_REQUEST)
default_cache.set('relay-auth:%s' % relay_id, {
'token': challenge['token'],
'public_key': six.text_type(challenge['public_key']),
}, 60)
return Response(serialize({
'relay_id': six.text_type(challenge['relay_id']),
'token': challenge['token'],
}))
def post(self, request):
"""
Requests to Register a Relay
````````````````````````````
Registers the relay with the sentry installation. If a relay boots
it will always attempt to invoke this endpoint.
"""
try:
json_data = json.loads(request.body)
except ValueError:
return Response({"detail": "No valid json body"}, status=status.HTTP_400_BAD_REQUEST)
serializer = RelayRegisterChallengeSerializer(data=json_data)
if not serializer.is_valid():
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
if not settings.SENTRY_RELAY_OPEN_REGISTRATION and not is_internal_relay(
request, json_data.get("public_key")
):
return Response(
{"detail": "Relay is not allowed to register"}, status=status.HTTP_401_UNAUTHORIZED
)
sig = get_header_relay_signature(request)
if not sig:
return Response(
{"detail": "Missing relay signature"}, status=status.HTTP_400_BAD_REQUEST
)
try:
challenge = create_register_challenge(request.body, sig)
except Exception as exc:
return Response(
{"detail": str(exc).splitlines()[0]}, status=status.HTTP_400_BAD_REQUEST
)
relay_id = six.text_type(challenge["relay_id"])
if relay_id != get_header_relay_id(request):
return Response(
{"detail": "relay_id in payload did not match header"},
status=status.HTTP_400_BAD_REQUEST,
)
try:
relay = Relay.objects.get(relay_id=relay_id)
except Relay.DoesNotExist:
pass
else:
if relay.public_key != six.text_type(challenge["public_key"]):
# This happens if we have an ID collision or someone copies an existing id
return Response(
{"detail": "Attempted to register agent with a different public key"},
status=status.HTTP_400_BAD_REQUEST,
)
default_cache.set(
"relay-auth:%s" % relay_id,
{"token": challenge["token"], "public_key": six.text_type(challenge["public_key"])},
60,
)
return Response(
serialize(
{"relay_id": six.text_type(challenge["relay_id"]), "token": challenge["token"]}
)
)