feat(auth-v2): Use HTTP Header to protect endpoints on production (#94588)

Depends on #94390.

Author: leedongwei

src/sentry/auth_v2/endpoints/base.py

@@ -0,0 +1,21 @@
+from django.conf import settings
+from rest_framework.permissions import BasePermission
+from rest_framework.request import Request
+
+from sentry.api.base import Endpoint
+
+
+class AuthV2Permission(BasePermission):
+    def has_permission(self, request: Request, view: object) -> bool:
+        if settings.IS_DEV:
+            return True
+
+        # WARN: If the secret is not set on production, we must fail the request.
+        if not settings.AUTH_V2_SECRET:
+            return False
+
+        return request.META.get("HTTP_X_SENTRY_AUTH_V2") == settings.AUTH_V2_SECRET
+
+
+class AuthV2Endpoint(Endpoint):
+    permission_classes = (AuthV2Permission,)

src/sentry/auth_v2/endpoints/user_login_view.py

@@ -1,19 +1,19 @@
-from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
 
 from sentry.api.api_owners import ApiOwner
 from sentry.api.api_publish_status import ApiPublishStatus
-from sentry.api.base import Endpoint, control_silo_endpoint
+from sentry.api.base import control_silo_endpoint
+
+from .base import AuthV2Endpoint
 
 
 @control_silo_endpoint
-class UserLoginView(Endpoint):
+class UserLoginView(AuthV2Endpoint):
     owner = ApiOwner.ENTERPRISE
     publish_status = {
         "GET": ApiPublishStatus.PRIVATE,
     }
-    permission_classes = (AllowAny,)
 
     def get(self, request: Request) -> Response:
         return Response({"message": "Hello world"})

src/sentry/conf/server.py

@@ -649,6 +649,9 @@ def env(
 
 INITIAL_CUSTOM_USER_MIGRATION = "0108_fix_user"
 
+# Protect login/registration endpoints during development phase
+AUTH_V2_SECRET = ""
+
 # Auth engines and the settings required for them to be listed
 AUTH_PROVIDERS = {
     "github": ("GITHUB_APP_ID", "GITHUB_API_SECRET"),

tests/sentry/auth_v2/endpoints/test_auth_v2_permissions.py

@@ -0,0 +1,45 @@
+from django.test import override_settings
+from rest_framework.views import APIView
+
+from sentry.auth_v2.endpoints.base import AuthV2Permission
+from sentry.testutils.cases import DRFPermissionTestCase
+from sentry.testutils.requests import drf_request_from_request
+
+
+class AuthV2PermissionsTest(DRFPermissionTestCase):
+    """
+    See tests/sentry/api/test_permissions.py
+    """
+
+    def setUp(self):
+        super().setUp()
+        self.auth_v2_permission = AuthV2Permission()
+        self.user = self.create_user(is_superuser=False, is_staff=False)
+
+    def _make_request(self):
+        request = self.make_request(user=self.user)
+        drf_request = drf_request_from_request(request)
+        return drf_request
+
+    def test_is_dev_enabled(self):
+        with override_settings(IS_DEV=True):
+            request = self._make_request()
+            assert self.auth_v2_permission.has_permission(request, APIView())
+
+    def test_is_dev_disabled(self):
+        with override_settings(IS_DEV=False):
+            request = self._make_request()
+            request.META["HTTP_X_SENTRY_AUTH_V2"] = ""  # Fail if the secret is not set
+            assert not self.auth_v2_permission.has_permission(request, APIView())
+
+    def test_secret_matches(self):
+        with override_settings(AUTH_V2_SECRET="secret"):
+            request = self._make_request()
+            request.META["HTTP_X_SENTRY_AUTH_V2"] = "secret"
+            assert self.auth_v2_permission.has_permission(request, APIView())
+
+    def test_secret_does_not_match(self):
+        with override_settings(AUTH_V2_SECRET="secret"):
+            request = self._make_request()
+            request.META["HTTP_X_SENTRY_AUTH_V2"] = "wrong-secret"
+            assert not self.auth_v2_permission.has_permission(request, APIView())