def test_challenge_response_validation_errors():
with pytest.raises(sentry_relay.UnpackErrorSignatureExpired):
sentry_relay.create_register_challenge(
b'{"relay_id":"95dc7c80-6db7-4505-8969-3a0927bfb85d","public_key":"KXxwPvbhadLYTglsiGnQe2lxKLCT4VB2qEDd-OQVLbQ"}',
"EQXKqDYLei5XhDucMDIR3n1khdcOqGWmUWDYhcnvi-OBkW92qfcAMSjSn8xPYDmkB2kLnNNsaFeBx1VifD3TCw.eyJ0IjoiMjAxOC0wMy0wMVQwOTo0NjowNS41NDA0NzdaIn0",
max_age=1,
)
with pytest.raises(sentry_relay.UnpackErrorBadPayload):
sentry_relay.create_register_challenge(
b'{"relay_id":"95dc7c80-6db7-4505-8969-3a0927bfb85d","public_key":"KXxwPvbhadLYTglsiGnQe2lxKLCT4VB2qEDd-OQVLbQ"}glumpat',
"EQXKqDYLei5XhDucMDIR3n1khdcOqGWmUWDYhcnvi-OBkW92qfcAMSjSn8xPYDmkB2kLnNNsaFeBx1VifD3TCw.eyJ0IjoiMjAxOC0wMy0wMVQwOTo0NjowNS41NDA0NzdaIn0",
max_age=1,
)
def test_challenge_response():
resp = sentry_relay.create_register_challenge(
b'{"relay_id":"95dc7c80-6db7-4505-8969-3a0927bfb85d","public_key":"KXxwPvbhadLYTglsiGnQe2lxKLCT4VB2qEDd-OQVLbQ"}',
"EQXKqDYLei5XhDucMDIR3n1khdcOqGWmUWDYhcnvi-OBkW92qfcAMSjSn8xPYDmkB2kLnNNsaFeBx1VifD3TCw.eyJ0IjoiMjAxOC0wMy0wMVQwOTo0NjowNS41NDA0NzdaIn0",
max_age=0xFFFFFFFF,
)
assert str(resp["public_key"]) == "KXxwPvbhadLYTglsiGnQe2lxKLCT4VB2qEDd-OQVLbQ"
assert resp["relay_id"] == uuid.UUID("95dc7c80-6db7-4505-8969-3a0927bfb85d")
assert len(resp["token"]) > 40
def test_challenge_response():
resp = sentry_relay.create_register_challenge(
REQUEST,
REQUEST_SIG,
UPSTREAM_SECRET,
max_age=0,
)
assert resp["relay_id"] == uuid.UUID(RELAY_ID.decode("utf8"))
assert len(resp["token"]) > 40
assert ":" in resp["token"]
def test_challenge_response_validation_errors():
with pytest.raises(sentry_relay.UnpackErrorSignatureExpired):
sentry_relay.create_register_challenge(
REQUEST,
REQUEST_SIG,
UPSTREAM_SECRET,
max_age=1,
)
with pytest.raises(sentry_relay.UnpackErrorBadPayload):
sentry_relay.create_register_challenge(
REQUEST + b"__broken",
REQUEST_SIG,
UPSTREAM_SECRET,
max_age=0,
)
with pytest.raises(sentry_relay.UnpackErrorBadSignature):
sentry_relay.create_register_challenge(
REQUEST,
REQUEST_SIG + "__broken",
UPSTREAM_SECRET,
max_age=0,
)
def post(self, request):
"""
Requests to Register a Relay
````````````````````````````
Registers the relay with the sentry installation. If a relay boots
it will always attempt to invoke this endpoint.
"""
try:
json_data = json.loads(request.body)
except ValueError:
return Response({"detail": "No valid json body"},
status=status.HTTP_400_BAD_REQUEST)
serializer = RelayRegisterChallengeSerializer(data=json_data)
if not serializer.is_valid():
return Response(serializer.errors,
status=status.HTTP_400_BAD_REQUEST)
if not is_version_supported(json_data.get("version")):
return Response(
{
"detail":
"Relay version no longer supported, please upgrade to a more recent version"
},
status=status.HTTP_403_FORBIDDEN,
)
public_key = json_data.get("public_key")
if not public_key:
return Response({"detail": "Missing public key"},
status=status.HTTP_400_FORBIDDEN)
if not settings.SENTRY_RELAY_OPEN_REGISTRATION and not is_internal_relay(
request, public_key):
return Response({"detail": "Relay is not allowed to register"},
status=status.HTTP_403_FORBIDDEN)
sig = get_header_relay_signature(request)
if not sig:
return Response({"detail": "Missing relay signature"},
status=status.HTTP_400_BAD_REQUEST)
secret = options.get("system.secret-key")
try:
challenge = create_register_challenge(request.body, sig, secret)
except Exception as exc:
return Response({"detail": str(exc).splitlines()[0]},
status=status.HTTP_400_BAD_REQUEST)
relay_id = six.text_type(challenge["relay_id"])
if relay_id != get_header_relay_id(request):
return Response(
{"detail": "relay_id in payload did not match header"},
status=status.HTTP_400_BAD_REQUEST,
)
try:
relay = Relay.objects.get(relay_id=relay_id)
except Relay.DoesNotExist:
pass
else:
if relay.public_key != six.text_type(public_key):
# This happens if we have an ID collision or someone copies an existing id
return Response(
{
"detail":
"Attempted to register agent with a different public key"
},
status=status.HTTP_400_BAD_REQUEST,
)
return Response(serialize(challenge))
def post(self, request):
"""
Requests to Register a Relay
````````````````````````````
Registers the relay with the sentry installation. If a relay boots
it will always attempt to invoke this endpoint.
"""
try:
json_data = json.loads(request.body)
except ValueError:
return Response({"detail": "No valid json body"}, status=status.HTTP_400_BAD_REQUEST)
serializer = RelayRegisterChallengeSerializer(data=json_data)
if not serializer.is_valid():
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
if not settings.SENTRY_RELAY_OPEN_REGISTRATION and not is_internal_relay(
request, json_data.get("public_key")
):
return Response(
{"detail": "Relay is not allowed to register"}, status=status.HTTP_401_UNAUTHORIZED
)
sig = get_header_relay_signature(request)
if not sig:
return Response(
{"detail": "Missing relay signature"}, status=status.HTTP_400_BAD_REQUEST
)
try:
challenge = create_register_challenge(request.body, sig)
except Exception as exc:
return Response(
{"detail": str(exc).splitlines()[0]}, status=status.HTTP_400_BAD_REQUEST
)
relay_id = six.text_type(challenge["relay_id"])
if relay_id != get_header_relay_id(request):
return Response(
{"detail": "relay_id in payload did not match header"},
status=status.HTTP_400_BAD_REQUEST,
)
try:
relay = Relay.objects.get(relay_id=relay_id)
except Relay.DoesNotExist:
pass
else:
if relay.public_key != six.text_type(challenge["public_key"]):
# This happens if we have an ID collision or someone copies an existing id
return Response(
{"detail": "Attempted to register agent with a different public key"},
status=status.HTTP_400_BAD_REQUEST,
)
default_cache.set(
"relay-auth:%s" % relay_id,
{"token": challenge["token"], "public_key": six.text_type(challenge["public_key"])},
60,
)
return Response(
serialize(
{"relay_id": six.text_type(challenge["relay_id"]), "token": challenge["token"]}
)
)
