def test_valid_without_key(self): auth_vars = {} # without key result = project_from_auth_vars(auth_vars) self.assertEquals(result, None) # with key auth_vars['sentry_key'] = self.pk.public_key result = project_from_auth_vars(auth_vars) self.assertEquals(result, self.project)
def test_valid_project_from_auth_vars_without_key(self): auth_vars = { 'sentry_signature': 'adf', 'sentry_timestamp': time.time(), } with mock.patch('sentry.coreapi.validate_hmac') as validate_hmac: validate_hmac.return_value = True # without key result = project_from_auth_vars(auth_vars, '') self.assertEquals(result, None) # with key auth_vars['sentry_key'] = self.pm.public_key result = project_from_auth_vars(auth_vars, '') self.assertEquals(result, self.project)
def handle(self, data, address): from sentry.utils.auth import parse_auth_header from sentry.coreapi import (project_from_auth_vars, decode_and_decompress_data, safely_load_json_string, validate_data, insert_data_to_database, APIError) try: try: auth_header, data = data.split("\n\n", 1) except ValueError: raise APIError("missing auth header") project = project_from_auth_vars(parse_auth_header(auth_header), data) if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) try: validate_data(project, data) except InvalidTimestamp: # Log the error, remove the timestamp, and revalidate logger.error('Client %r passed an invalid value for timestamp %r' % ( data['timestamp'], client or '<unknown client>', )) del data['timestamp'] validate_data(project, data) return insert_data_to_database(data) except APIError, error: logger.error('bad message from %s: %s' % (address, error.msg)) return error
def store(request): try: auth_vars = extract_auth_vars(request) data = request.raw_post_data if auth_vars: project = project_from_auth_vars(auth_vars, data) elif request.GET.get('api_key') and request.GET.get( 'project_id') and request.is_secure(): # ssl requests dont have to have signature verification project = project_from_api_key_and_id(request.GET['api_key'], request.GET['project_id']) elif request.GET.get('project_id') and request.user.is_authenticated(): # authenticated users are simply trusted to provide the right id project = project_from_id(request) else: raise APIUnauthorized() if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) ensure_valid_project_id(project, data) insert_data_to_database(data) except APIError, error: return HttpResponse(error.msg, status=error.http_status)
def test_valid_without_key(self): auth_vars = { 'sentry_signature': 'adf', 'sentry_timestamp': time.time(), } with mock.patch('sentry.coreapi.validate_hmac') as validate_hmac_: validate_hmac_.return_value = True # without key result = project_from_auth_vars(auth_vars, '') self.assertEquals(result, None) # with key auth_vars['sentry_key'] = self.pk.public_key result = project_from_auth_vars(auth_vars, '') self.assertEquals(result, self.project)
def handle_sentry(data, address): from sentry.exceptions import InvalidData from sentry.coreapi import project_from_auth_vars, decode_and_decompress_data, \ safely_load_json_string, validate_data, insert_data_to_database, APIError from sentry.utils.auth import parse_auth_header try: try: auth_header, data = data.split('\n\n', 1) except ValueError: raise APIError('missing auth header') auth_vars = parse_auth_header(auth_header) project = project_from_auth_vars(auth_vars, data) client = auth_vars.get('sentry_client') if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) try: validate_data(project, data, client) except InvalidData, e: raise APIError(unicode(e)) return insert_data_to_database(data)
def handle(self, data, address): from sentry.utils.auth import parse_auth_header from sentry.coreapi import (project_from_auth_vars, decode_and_decompress_data, safely_load_json_string, ensure_valid_project_id, insert_data_to_database, APIError) try: try: auth_header, data = data.split("\n\n", 1) except ValueError: raise APIError("missing auth header") project = project_from_auth_vars(parse_auth_header(auth_header), data) if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) ensure_valid_project_id(project, data) return insert_data_to_database(data) except APIError, error: logger.error('bad message from %s: %s' % (address, error.msg)) return error
def store(request): try: auth_vars = extract_auth_vars(request) data = request.raw_post_data if auth_vars: server_version = auth_vars.get('sentry_version', '1.0') else: server_version = request.GET.get('version', '1.0') if server_version not in ('1.0', '2.0'): raise APIError('Client/server version mismatch. Unsupported version: %r' % server_version) if auth_vars: project = project_from_auth_vars(auth_vars, data) elif request.GET.get('api_key') and request.GET.get('project_id') and request.is_secure(): # ssl requests dont have to have signature verification project = project_from_api_key_and_id(request.GET['api_key'], request.GET['project_id']) elif request.GET.get('project_id') and request.user.is_authenticated(): # authenticated users are simply trusted to provide the right id project = project_from_id(request) else: raise APIUnauthorized() if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) validate_data(project, data) insert_data_to_database(data) except APIError, error: return HttpResponse(error.msg, status=error.http_status)
def test_inactive_member(self): self.pm.is_active = False self.pm.save() auth_vars = {} # without key result = project_from_auth_vars(auth_vars) self.assertEquals(result, None) # with key auth_vars['sentry_key'] = self.pk.public_key self.assertRaises(APIUnauthorized, project_from_auth_vars, auth_vars)
def handle_sentry(data, address): from sentry.coreapi import ( project_from_auth_vars, decode_and_decompress_data, safely_load_json_string, validate_data, insert_data_to_database, APIError, APIForbidden, ) from sentry.models import Group from sentry.exceptions import InvalidData from sentry.plugins import plugins from sentry.utils.auth import parse_auth_header try: try: auth_header, data = data.split("\n\n", 1) except ValueError: raise APIError("missing auth header") try: auth_vars = parse_auth_header(auth_header) except (ValueError, IndexError): raise APIError("invalid auth header") project, user = project_from_auth_vars(auth_vars) result = plugins.first("has_perm", user, "create_event", project) if result is False: raise APIForbidden("Creation of this event was blocked") client = auth_vars.get("sentry_client") if not data.startswith("{"): data = decode_and_decompress_data(data) data = safely_load_json_string(data) try: validate_data(project, data, client) except InvalidData, e: raise APIError(u"Invalid data: %s (%s)" % (unicode(e), type(e))) Group.objects.normalize_event_data(data) return insert_data_to_database(data)
def test_inactive_member(self): self.pm.is_active = False self.pm.save() auth_vars = { 'sentry_signature': 'adf', 'sentry_timestamp': time.time(), } with mock.patch('sentry.coreapi.validate_hmac') as validate_hmac_: validate_hmac_.return_value = True # without key result = project_from_auth_vars(auth_vars, '') self.assertEquals(result, None) # with key auth_vars['sentry_key'] = self.pk.public_key self.assertRaises(APIUnauthorized, project_from_auth_vars, auth_vars, '')
def handle_sentry(data, address): from sentry.coreapi import (project_from_auth_vars, decode_and_decompress_data, safely_load_json_string, validate_data, insert_data_to_database, APIError, APIForbidden) from sentry.models import Group from sentry.exceptions import InvalidData from sentry.plugins import plugins from sentry.utils.auth import parse_auth_header try: try: auth_header, data = data.split('\n\n', 1) except ValueError: raise APIError('missing auth header') try: auth_vars = parse_auth_header(auth_header) except (ValueError, IndexError): raise APIError('invalid auth header') project, user = project_from_auth_vars(auth_vars) result = plugins.first('has_perm', user, 'create_event', project) if result is False: raise APIForbidden('Creation of this event was blocked') client = auth_vars.get('sentry_client') if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) try: validate_data(project, data, client) except InvalidData, e: raise APIError(u'Invalid data: %s (%s)' % (unicode(e), type(e))) Group.objects.normalize_event_data(data) return insert_data_to_database(data)
def handle_sentry(data, address): from sentry.coreapi import project_from_auth_vars, decode_and_decompress_data, \ safely_load_json_string, validate_data, insert_data_to_database, APIError, \ APIForbidden from sentry.exceptions import InvalidData from sentry.plugins import plugins from sentry.utils.auth import parse_auth_header try: try: auth_header, data = data.split('\n\n', 1) except ValueError: raise APIError('missing auth header') try: auth_vars = parse_auth_header(auth_header) except (ValueError, IndexError): raise APIError('invalid auth header') project, user = project_from_auth_vars(auth_vars) result = plugins.first('has_perm', user, 'create_event', project) if result is False: raise APIForbidden('Creation of this event was blocked') client = auth_vars.get('sentry_client') if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) try: validate_data(project, data, client) except InvalidData, e: raise APIError(u'Invalid data: %s (%s)' % (unicode(e), type(e))) return insert_data_to_database(data)
class APIView(BaseView): def _get_project_from_id(self, project_id): if project_id: if project_id.isdigit(): lookup_kwargs = {'id': int(project_id)} else: lookup_kwargs = {'slug': project_id} try: return Project.objects.get_from_cache(**lookup_kwargs) except Project.DoesNotExist: raise APIError('Invalid project_id: %r' % project_id) return None def _parse_header(self, request, project): try: auth_vars = extract_auth_vars(request) except (IndexError, ValueError): raise APIError('Invalid auth header') if not auth_vars: raise APIError( 'Client/server version mismatch: Unsupported client') server_version = auth_vars.get('sentry_version', '1.0') client = auth_vars.get('sentry_client', request.META.get('HTTP_USER_AGENT')) if server_version not in ('2.0', '3', '4'): raise APIError( 'Client/server version mismatch: Unsupported protocol version (%s)' % server_version) if not client: raise APIError( 'Client request error: Missing client version identifier') return auth_vars @csrf_exempt def dispatch(self, request, project_id=None, *args, **kwargs): try: origin = self.get_request_origin(request) response = self._dispatch(request, project_id=project_id, *args, **kwargs) except Exception: response = HttpResponse(status=500) if response.status_code != 200: # Set X-Sentry-Error as in many cases it is easier to inspect the headers response[ 'X-Sentry-Error'] = response.content[: 200] # safety net on content length if response.status_code == 500: log = logger.error exc_info = True else: log = logger.info exc_info = None log('status=%s project_id=%s user_id=%s ip=%s agent=%s %s', response.status_code, project_id, request.user.is_authenticated() and request.user.id or None, request.META['REMOTE_ADDR'], request.META.get('HTTP_USER_AGENT'), response['X-Sentry-Error'], extra={ 'request': request, }, exc_info=exc_info) if origin: # We allow all origins on errors response['Access-Control-Allow-Origin'] = '*' if origin: response['Access-Control-Allow-Headers'] = 'X-Sentry-Auth, X-Requested-With, Origin, Accept, Content-Type, ' \ 'Authentication' response['Access-Control-Allow-Methods'] = ', '.join( self._allowed_methods()) return response def get_request_origin(self, request): """ Returns either the Origin or Referer value from the request headers. """ return request.META.get('HTTP_ORIGIN', request.META.get('HTTP_REFERER')) def _dispatch(self, request, project_id=None, *args, **kwargs): request.user = AnonymousUser() try: project = self._get_project_from_id(project_id) except APIError, e: return HttpResponse(str(e), content_type='text/plain', status=400) origin = self.get_request_origin(request) if origin is not None: if not project: return HttpResponse( 'Your client must be upgraded for CORS support.') elif not is_valid_origin(origin, project): return HttpResponse('Invalid origin: %r' % origin, content_type='text/plain', status=400) # XXX: It seems that the OPTIONS call does not always include custom headers if request.method == 'OPTIONS': response = self.options(request, project) else: try: auth_vars = self._parse_header(request, project) except APIError, e: return HttpResponse(str(e), content_type='text/plain', status=400) try: project_, user = project_from_auth_vars(auth_vars) except APIError, error: return HttpResponse(unicode(error.msg), status=error.http_status)
def _dispatch(self, request, project_id=None, *args, **kwargs): request.user = AnonymousUser() try: project = self._get_project_from_id(project_id) except APIError as e: raise InvalidRequest(str(e)) if project: Raven.tags_context({'project': project.id}) origin = self.get_request_origin(request) if origin is not None and not project: raise InvalidRequest('Your client must be upgraded for CORS support.') # XXX: It seems that the OPTIONS call does not always include custom headers if request.method == 'OPTIONS': if is_valid_origin(origin, project): response = self.options(request, project) else: raise InvalidOrigin(origin) else: try: auth_vars = self._parse_header(request, project) except APIError as e: raise InvalidRequest(str(e)) try: project_, user = project_from_auth_vars(auth_vars) except APIError as error: return HttpResponse(unicode(error.msg), status=error.http_status) else: if user: request.user = user # Legacy API was /api/store/ and the project ID was only available elsewhere if not project: if not project_: raise InvalidRequest('Unable to identify project') project = project_ elif project_ != project: raise InvalidRequest('Project ID mismatch') else: Raven.tags_context({'project': project.id}) auth = Auth(auth_vars, is_public=bool(origin)) if auth.version >= 3: if request.method == 'GET': # GET only requires an Origin/Referer check if not is_valid_origin(origin, project): if origin is None: raise InvalidRequest('Missing required Origin or Referer header') else: raise InvalidOrigin(origin) else: # Version 3 enforces secret key for server side requests if not auth.secret_key: raise InvalidRequest('Missing required attribute in authentication header: sentry_secret') try: response = super(APIView, self).dispatch(request, project=project, auth=auth, **kwargs) except APIError as error: response = HttpResponse(unicode(error.msg), content_type='text/plain', status=error.http_status) if origin: response['Access-Control-Allow-Origin'] = origin return response
def _dispatch(self, request, project_id=None, *args, **kwargs): request.user = AnonymousUser() try: project = self._get_project_from_id(project_id) except APIError as e: raise InvalidRequest(str(e)) if project: Raven.tags_context({'project': project.id}) origin = self.get_request_origin(request) if origin is not None: # This check is specific for clients who need CORS support if not project: raise InvalidRequest('Your client must be upgraded for CORS support.') if not is_valid_origin(origin, project): raise InvalidOrigin(origin) # XXX: It seems that the OPTIONS call does not always include custom headers if request.method == 'OPTIONS': response = self.options(request, project) else: try: auth_vars = self._parse_header(request, project) except APIError as e: raise InvalidRequest(str(e)) try: project_, user = project_from_auth_vars(auth_vars) except APIError as error: return HttpResponse(six.text_type(error.msg), status=error.http_status) else: if user: request.user = user # Legacy API was /api/store/ and the project ID was only available elsewhere if not project: if not project_: raise InvalidRequest('Unable to identify project') project = project_ elif project_ != project: raise InvalidRequest('Project ID mismatch') else: Raven.tags_context({'project': project.id}) auth = Auth(auth_vars, is_public=bool(origin)) if auth.version >= 3: if request.method == 'GET': # GET only requires an Origin/Referer check # If an Origin isn't passed, it's possible that the project allows no origin, # so we need to explicitly check for that here. If Origin is not None, # it can be safely assumed that it was checked previously and it's ok. if origin is None and not is_valid_origin(origin, project): # Special case an error message for a None origin when None wasn't allowed raise InvalidRequest('Missing required Origin or Referer header') else: # Version 3 enforces secret key for server side requests if not auth.secret_key: raise InvalidRequest('Missing required attribute in authentication header: sentry_secret') try: response = super(APIView, self).dispatch(request, project=project, auth=auth, **kwargs) except APIError as error: response = HttpResponse(six.text_type(error.msg), content_type='text/plain', status=error.http_status) if isinstance(error, APIRateLimited) and error.retry_after is not None: response['Retry-After'] = str(error.retry_after) if origin: response['Access-Control-Allow-Origin'] = origin return response
def _dispatch(self, request, project_id=None, *args, **kwargs): request.user = AnonymousUser() try: project = self._get_project_from_id(project_id) except APIError, e: return HttpResponse(str(e), status=400) try: auth_vars = self._parse_header(request, project) except APIError, e: return HttpResponse(str(e), status=400) try: project_, user = project_from_auth_vars(auth_vars) except APIError, error: if project: logger.info('Project %r raised API error: %s', project.slug, error, extra={ 'request': request, }, exc_info=True) return HttpResponse(unicode(error.msg), status=error.http_status) else: if user: request.user = user # Legacy API was /api/store/ and the project ID was only available elsewhere if not project: if not project_: return HttpResponse('Unable to identify project', status=400) project = project_
def store(request, project=None): """ The primary endpoint for storing new events. This will validate the client's authentication and data, and if successfull pass on the payload to the internal database handler. Authentication works in three flavors: 1. Explicit signed requests These are implemented using the documented signed request protocol, and require an authentication header which is signed using with the project member's secret key. 2. CORS Secured Requests Generally used for communications with client-side platforms (such as JavaScript in the browser), they require a standard header, excluding the signature and timestamp requirements, and must be listed in the origins for the given project (or the global origins). 3. Implicit trusted requests Used by the Sentry core, they are only available from same-domain requests and do not require any authentication information. They only require that the user be authenticated, and a project_id be sent in the GET variables. """ logger.debug('Inbound %r request from %r (%s)', request.method, request.META['REMOTE_ADDR'], request.META.get('HTTP_USER_AGENT')) client = '<unknown client>' response = HttpResponse() if request.method == 'POST': try: auth_vars = extract_auth_vars(request) data = request.raw_post_data if auth_vars: server_version = auth_vars.get('sentry_version', '1.0') client = auth_vars.get('sentry_client', request.META.get('HTTP_USER_AGENT')) else: server_version = request.GET.get('version', '1.0') client = request.META.get('HTTP_USER_AGENT', request.GET.get('client')) if server_version not in ('1.0', '2.0'): raise APIError( 'Client/server version mismatch: Unsupported version: %r' % server_version) if server_version != '1.0' and not client: raise APIError( 'Client request error: Missing client version identifier.') referrer = request.META.get('HTTP_REFERER') if auth_vars: # We only require a signature if a referrer was not set # (this is restricted via the CORS headers) project_ = project_from_auth_vars(auth_vars, data, require_signature=False) if not project: project = project_ elif project_ != project: raise APIError('Project ID mismatch') elif request.user.is_authenticated() and is_same_domain( request.build_absolute_uri(), referrer): # authenticated users are simply trusted to provide the right id project_ = project_from_id(request) if not project: project = project_ elif project_ != project: raise APIError('Project ID mismatch') else: raise APIUnauthorized() if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) try: validate_data(project, data, client) except InvalidData, e: raise APIError(u'Invalid data: %s' % unicode(e)) insert_data_to_database(data) except APIError, error: logger.error('Client %r raised API error: %s', client, error, extra={ 'request': request, }, exc_info=True) response = HttpResponse(unicode(error.msg), status=error.http_status)
def test_valid_with_key(self): auth_vars = {'sentry_key': self.pk.public_key} result = project_from_auth_vars(auth_vars) self.assertEquals(result, (self.project, self.pk.user))
def _dispatch(self, request, project_id=None, *args, **kwargs): request.user = AnonymousUser() try: project = self._get_project_from_id(project_id) except APIError as e: raise InvalidRequest(str(e)) if project: Raven.tags_context({'project': project.id}) origin = self.get_request_origin(request) if origin is not None: # This check is specific for clients who need CORS support if not project: raise InvalidRequest( 'Your client must be upgraded for CORS support.') if not is_valid_origin(origin, project): raise InvalidOrigin(origin) # XXX: It seems that the OPTIONS call does not always include custom headers if request.method == 'OPTIONS': response = self.options(request, project) else: try: auth_vars = self._parse_header(request, project) except APIError as e: raise InvalidRequest(str(e)) try: project_, user = project_from_auth_vars(auth_vars) except APIError as error: return HttpResponse(six.text_type(error.msg), status=error.http_status) else: if user: request.user = user # Legacy API was /api/store/ and the project ID was only available elsewhere if not project: if not project_: raise InvalidRequest('Unable to identify project') project = project_ elif project_ != project: raise InvalidRequest('Project ID mismatch') else: Raven.tags_context({'project': project.id}) auth = Auth(auth_vars, is_public=bool(origin)) if auth.version >= 3: if request.method == 'GET': # GET only requires an Origin/Referer check # If an Origin isn't passed, it's possible that the project allows no origin, # so we need to explicitly check for that here. If Origin is not None, # it can be safely assumed that it was checked previously and it's ok. if origin is None and not is_valid_origin(origin, project): # Special case an error message for a None origin when None wasn't allowed raise InvalidRequest( 'Missing required Origin or Referer header') else: # Version 3 enforces secret key for server side requests if not auth.secret_key: raise InvalidRequest( 'Missing required attribute in authentication header: sentry_secret' ) try: response = super(APIView, self).dispatch(request, project=project, auth=auth, **kwargs) except APIError as error: response = HttpResponse(six.text_type(error.msg), content_type='text/plain', status=error.http_status) if isinstance( error, APIRateLimited) and error.retry_after is not None: response['Retry-After'] = str(error.retry_after) if origin: response['Access-Control-Allow-Origin'] = origin return response
def store(request, project_id=None): """ The primary endpoint for storing new events. This will validate the client's authentication and data, and if successfull pass on the payload to the internal database handler. Authentication works in three flavors: 1. Explicit signed requests These are implemented using the documented signed request protocol, and require an authentication header which is signed using with the project member's secret key. 2. CORS Secured Requests Generally used for communications with client-side platforms (such as JavaScript in the browser), they require a standard header, excluding the signature and timestamp requirements, and must be listed in the origins for the given project (or the global origins). 3. Implicit trusted requests Used by the Sentry core, they are only available from same-domain requests and do not require any authentication information. They only require that the user be authenticated, and a project_id be sent in the GET variables. """ logger.debug('Inbound %r request from %r', request.method, request.META['REMOTE_ADDR']) client = '<unknown client>' if project_id: if project_id.isdigit(): lookup_kwargs = {'id': int(project_id)} else: lookup_kwargs = {'slug': project_id} try: project = Project.objects.get_from_cache(**lookup_kwargs) except Project.DoesNotExist: raise APIError('Project does not exist') else: project = None if request.method == 'POST': try: auth_vars = extract_auth_vars(request) data = request.raw_post_data if auth_vars: server_version = auth_vars.get('sentry_version', '1.0') client = auth_vars.get('sentry_client') else: server_version = request.GET.get('version', '1.0') client = request.META.get('HTTP_USER_AGENT', request.GET.get('client')) if server_version not in ('1.0', '2.0'): raise APIError('Client/server version mismatch: Unsupported version: %r' % server_version) if server_version != '1.0' and not client: raise APIError('Client request error: Missing client version identifier.') referrer = request.META.get('HTTP_REFERER') if auth_vars: # We only require a signature if a referrer was not set # (this is restricted via the CORS headers) origin = request.META.get('HTTP_ORIGIN') project_ = project_from_auth_vars(auth_vars, data, require_signature=bool(not origin)) if not project: project = project_ elif project_ != project: raise APIError('Project ID mismatch') elif request.user.is_authenticated() and is_same_domain(request.build_absolute_uri(), referrer): # authenticated users are simply trusted to provide the right id project_ = project_from_id(request) if not project: project = project_ elif project_ != project: raise APIError('Project ID mismatch') else: raise APIUnauthorized() if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) try: validate_data(project, data, client) except InvalidData, e: raise APIError(unicode(e)) insert_data_to_database(data) except APIError, error: logging.error('Client %r raised API error: %s' % (client, error), exc_info=True) response = HttpResponse(unicode(error.msg), status=error.http_status)
return auth_vars @csrf_exempt def dispatch(self, request, project_id=None, *args, **kwargs): try: project = self._get_project_from_id(project_id) except APIError, e: return HttpResponse(str(e), status=400) try: auth_vars = self._parse_header(request, project) except APIError, e: return HttpResponse(str(e), status=400) project_ = project_from_auth_vars(auth_vars) # Legacy API was /api/store/ and the project ID was only available elsewhere if not project: if not project_: return HttpResponse('Unable to identify project', status=400) project = project_ elif project_ != project: return HttpResponse('Project ID mismatch', status=400) origin = request.META.get('HTTP_ORIGIN', None) if origin is not None and not is_valid_origin(origin, project): return HttpResponse('Invalid origin: %r' % origin, status=400) auth = Auth(auth_vars)
def store(request): """ The primary endpoint for storing new events. This will validate the client's authentication and data, and if successfull pass on the payload to the internal database handler. Authentication works in three flavors: 1. Explicit signed requests These are implemented using the documented signed request protocol, and require an authentication header which is signed using with the project member's secret key. 2. Explicit trusted requests Generally used for communications with client-side platforms (such as JavaScript in the browser), they require the GET variables public_key and project_id, as well as an HTTP_REFERER to be set from a trusted domain. 3. Implicit trusted requests Used by the Sentry core, they are only available from same-domain requests and do not require any authentication information. They only require that the user be authenticated, and a project_id be sent in the GET variables. """ logger.debug('Inbound %r request from %r', request.method, request.META['REMOTE_ADDR']) client = '<unknown client>' try: if request.method == 'POST': auth_vars = extract_auth_vars(request) data = request.raw_post_data if auth_vars: server_version = auth_vars.get('sentry_version', '1.0') client = auth_vars.get('sentry_client') else: server_version = request.GET.get('version', '1.0') client = request.META.get('HTTP_USER_AGENT', request.GET.get('client')) if server_version not in ('1.0', '2.0'): raise APIError('Client/server version mismatch: Unsupported version: %r' % server_version) if server_version != '1.0' and not client: raise APIError('Client request error: Missing client version identifier.') referrer = request.META.get('HTTP_REFERER') if auth_vars: project = project_from_auth_vars(auth_vars, data) elif request.GET.get('api_key') and request.GET.get('project_id'): # public requests only need referrer validation for CSRF project = project_from_api_key_and_id(request.GET['api_key'], request.GET['project_id']) if not ProjectDomain.test(project, referrer): raise APIUnauthorized() elif request.GET.get('project_id') and request.user.is_authenticated() and \ is_same_domain(request.build_absolute_uri(), referrer): # authenticated users are simply trusted to provide the right id project = project_from_id(request) else: raise APIUnauthorized() if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) try: validate_data(project, data) except InvalidTimestamp: # Log the error, remove the timestamp, and revalidate error_logger.error('Client %r passed an invalid value for timestamp %r' % ( data['timestamp'], client or '<unknown client>', )) del data['timestamp'] validate_data(project, data) insert_data_to_database(data) except APIError, error: logging.error('Client %r raised API error: %s' % (client, error), exc_info=True) response = HttpResponse(unicode(error.msg), status=error.http_status)
def store(request): """ The primary endpoint for storing new events. This will validate the client's authentication and data, and if successfull pass on the payload to the internal database handler. Authentication works in three flavors: 1. Explicit signed requests These are implemented using the documented signed request protocol, and require an authentication header which is signed using with the project member's secret key. 2. Explicit trusted requests Generally used for communications with client-side platforms (such as JavaScript in the browser), they require the GET variables public_key and project_id, as well as an HTTP_REFERER to be set from a trusted domain. 3. Implicit trusted requests Used by the Sentry core, they are only available from same-domain requests and do not require any authentication information. They only require that the user be authenticated, and a project_id be sent in the GET variables. """ logger.debug('Inbound %r request from %r', request.method, request.META['REMOTE_ADDR']) client = '<unknown client>' try: if request.method == 'POST': auth_vars = extract_auth_vars(request) data = request.raw_post_data if auth_vars: server_version = auth_vars.get('sentry_version', '1.0') client = auth_vars.get('sentry_client') else: server_version = request.GET.get('version', '1.0') client = request.META.get('HTTP_USER_AGENT', request.GET.get('client')) if server_version not in ('1.0', '2.0'): raise APIError( 'Client/server version mismatch: Unsupported version: %r' % server_version) if server_version != '1.0' and not client: raise APIError( 'Client request error: Missing client version identifier.') referrer = request.META.get('HTTP_REFERER') if auth_vars: project = project_from_auth_vars(auth_vars, data) elif request.GET.get('api_key') and request.GET.get('project_id'): # public requests only need referrer validation for CSRF project = project_from_api_key_and_id( request.GET['api_key'], request.GET['project_id']) if not ProjectDomain.test(project, referrer): raise APIUnauthorized() elif request.GET.get('project_id') and request.user.is_authenticated() and \ is_same_domain(request.build_absolute_uri(), referrer): # authenticated users are simply trusted to provide the right id project = project_from_id(request) else: raise APIUnauthorized() if not data.startswith('{'): data = decode_and_decompress_data(data) data = safely_load_json_string(data) try: validate_data(project, data, client) except InvalidData, e: raise APIError(unicode(e)) insert_data_to_database(data) except APIError, error: logging.error('Client %r raised API error: %s' % (client, error), exc_info=True) response = HttpResponse(unicode(error.msg), status=error.http_status)
def _dispatch(self, request, project_id=None, *args, **kwargs): request.user = AnonymousUser() try: project = self._get_project_from_id(project_id) except APIError, e: return HttpResponse(str(e), status=400) try: auth_vars = self._parse_header(request, project) except APIError, e: return HttpResponse(str(e), status=400) try: project_, user = project_from_auth_vars(auth_vars) except APIError, error: if project: logger.info('Project %r raised API error: %s', project.slug, error, extra={ 'request': request, }, exc_info=True) return HttpResponse(unicode(error.msg), status=error.http_status) else: if user: request.user = user # Legacy API was /api/store/ and the project ID was only available elsewhere
def store(request, project=None): """ The primary endpoint for storing new events. This will validate the client's authentication and data, and if successfull pass on the payload to the internal database handler. Authentication works in three flavors: 1. Explicit signed requests These are implemented using the documented signed request protocol, and require an authentication header which is signed using with the project member's secret key. 2. CORS Secured Requests Generally used for communications with client-side platforms (such as JavaScript in the browser), they require a standard header, excluding the signature and timestamp requirements, and must be listed in the origins for the given project (or the global origins). 3. Implicit trusted requests Used by the Sentry core, they are only available from same-domain requests and do not require any authentication information. They only require that the user be authenticated, and a project_id be sent in the GET variables. """ logger.debug( "Inbound %r request from %r (%s)", request.method, request.META["REMOTE_ADDR"], request.META.get("HTTP_USER_AGENT"), ) client = "<unknown client>" response = HttpResponse() if request.method == "POST": try: auth_vars = extract_auth_vars(request) data = request.raw_post_data if auth_vars: server_version = auth_vars.get("sentry_version", "1.0") client = auth_vars.get("sentry_client", request.META.get("HTTP_USER_AGENT")) else: server_version = request.GET.get("version", "1.0") client = request.META.get("HTTP_USER_AGENT", request.GET.get("client")) if server_version not in ("1.0", "2.0"): raise APIError("Client/server version mismatch: Unsupported version: %r" % server_version) if server_version != "1.0" and not client: raise APIError("Client request error: Missing client version identifier.") referrer = request.META.get("HTTP_REFERER") if auth_vars: # We only require a signature if a referrer was not set # (this is restricted via the CORS headers) project_ = project_from_auth_vars(auth_vars, data, require_signature=False) if not project: project = project_ elif project_ != project: raise APIError("Project ID mismatch") elif request.user.is_authenticated() and is_same_domain(request.build_absolute_uri(), referrer): # authenticated users are simply trusted to provide the right id project_ = project_from_id(request) if not project: project = project_ elif project_ != project: raise APIError("Project ID mismatch") else: raise APIUnauthorized() if not data.startswith("{"): data = decode_and_decompress_data(data) data = safely_load_json_string(data) try: validate_data(project, data, client) except InvalidData, e: raise APIError(u"Invalid data: %s" % unicode(e)) insert_data_to_database(data) except APIError, error: logger.error("Client %r raised API error: %s", client, error, extra={"request": request}, exc_info=True) response = HttpResponse(unicode(error.msg), status=error.http_status)