ref(hc): Remove conditional rollout of hc auth (#58903)

src/sentry/api/authentication.py

@@ -33,7 +33,6 @@ from sentry.services.hybrid_cloud.rpc import compare_signature
 from sentry.services.hybrid_cloud.user import RpcUser
 from sentry.services.hybrid_cloud.user.service import user_service
 from sentry.silo import SiloLimit, SiloMode
-from sentry.utils.env import AuthComponent, should_use_authenticated_token, should_use_rpc_user
 from sentry.utils.sdk import configure_scope
 from sentry.utils.security.orgauthtoken_token import SENTRY_ORG_AUTH_TOKEN_PREFIX, hash_token
 
@@ -132,32 +131,20 @@ def relay_from_id(request, relay_id) -> Tuple[Optional[Relay], bool]:
 
 
 class QuietBasicAuthentication(BasicAuthentication):
-    _hybrid_cloud_rollout_auth_component: AuthComponent
-
     def authenticate_header(self, request: Request) -> str:
         return 'xBasic realm="%s"' % self.www_authenticate_realm
 
-    def _use_authenticated_token(self) -> bool:
-        return should_use_authenticated_token(self._hybrid_cloud_rollout_auth_component)
-
-    def _use_rpc_user(self) -> bool:
-        return should_use_rpc_user(self._hybrid_cloud_rollout_auth_component)
-
     def transform_auth(
         self,
         user: int | User | RpcUser | None | AnonymousUser,
         request_auth: Any,
         entity_id_tag: str | None = None,
         **tags,
-    ) -> Tuple[User | RpcUser | AnonymousUser, Any]:
+    ) -> Tuple[RpcUser | AnonymousUser, AuthenticatedToken | None]:
         if isinstance(user, int):
-            if self._use_rpc_user():
-                user = user_service.get_user(user_id=user)
-            else:
-                user = User.objects.filter(id=user).first()
+            user = user_service.get_user(user_id=user)
         elif isinstance(user, User):
-            if self._use_rpc_user():
-                user = user_service.get_user(user_id=user.id)
+            user = user_service.get_user(user_id=user.id)
         if user is None:
             user = AnonymousUser()
 
@@ -168,12 +155,7 @@ class QuietBasicAuthentication(BasicAuthentication):
                 for k, v in tags.items():
                     scope.set_tag(k, v)
 
-        return (
-            user,
-            auth_token
-            if request_auth is not None and self._use_authenticated_token()
-            else request_auth,
-        )
+        return (user, auth_token)
 
 
 class StandardAuthentication(QuietBasicAuthentication):
@@ -236,7 +218,6 @@ class RelayAuthentication(BasicAuthentication):
 @AuthenticationSiloLimit(SiloMode.CONTROL, SiloMode.REGION)
 class ApiKeyAuthentication(QuietBasicAuthentication):
     token_name = b"basic"
-    _hybrid_cloud_rollout_auth_component = AuthComponent.API_KEY_BACKED_AUTH
 
     def accepts_auth(self, auth: list[bytes]) -> bool:
         return bool(auth) and auth[0].lower() == self.token_name
@@ -282,8 +263,6 @@ class ClientIdSecretAuthentication(QuietBasicAuthentication):
     For example, the request to exchange a Grant Code for an Api Token.
     """
 
-    _hybrid_cloud_rollout_auth_component = AuthComponent.SENTRY_APP_BACKED_AUTH
-
     def authenticate(self, request: Request):
         if not request.json_body:
             raise AuthenticationFailed("Invalid request")
@@ -316,7 +295,6 @@ class ClientIdSecretAuthentication(QuietBasicAuthentication):
 @AuthenticationSiloLimit(SiloMode.REGION, SiloMode.CONTROL)
 class UserAuthTokenAuthentication(StandardAuthentication):
     token_name = b"bearer"
-    _hybrid_cloud_rollout_auth_component = AuthComponent.API_TOKEN_BACKED_AUTH
 
     def accepts_auth(self, auth: list[bytes]) -> bool:
         if not super().accepts_auth(auth):
@@ -386,7 +364,6 @@ class UserAuthTokenAuthentication(StandardAuthentication):
 @AuthenticationSiloLimit(SiloMode.CONTROL, SiloMode.REGION)
 class OrgAuthTokenAuthentication(StandardAuthentication):
     token_name = b"bearer"
-    _hybrid_cloud_rollout_auth_component = AuthComponent.ORG_AUTH_TOKEN_BACKED_AUTH
 
     def accepts_auth(self, auth: list[bytes]) -> bool:
         if not super().accepts_auth(auth) or len(auth) != 2:

src/sentry/utils/auth.py

@@ -9,7 +9,6 @@ from urllib.parse import urlencode, urlparse
 from django.conf import settings
 from django.contrib.auth import login as _login
 from django.contrib.auth.backends import ModelBackend
-from django.contrib.auth.base_user import AbstractBaseUser
 from django.http.request import HttpRequest
 from django.urls import resolve, reverse
 from django.utils.http import url_has_allowed_host_and_scheme
@@ -19,9 +18,9 @@ from sentry.models.organization import Organization
 from sentry.models.outbox import outbox_context
 from sentry.models.user import User
 from sentry.services.hybrid_cloud.organization import RpcOrganization
+from sentry.services.hybrid_cloud.user import RpcUser
 from sentry.services.hybrid_cloud.user.service import user_service
 from sentry.utils import metrics
-from sentry.utils.env import AuthComponent, should_use_rpc_user
 from sentry.utils.http import absolute_uri
 
 logger = logging.getLogger("sentry.auth")
@@ -430,13 +429,11 @@ class EmailAuthBackend(ModelBackend):
     def user_can_authenticate(self, user: User) -> bool:
         return True
 
-    def get_user(self, user_id: int) -> AbstractBaseUser | None:
-        if should_use_rpc_user(AuthComponent.EMAIL_BACKED_AUTH):
-            user = user_service.get_user(user_id=user_id)
-            if user:
-                return user
-            return None
-        return super().get_user(user_id)
+    def get_user(self, user_id: int) -> RpcUser | None:
+        user = user_service.get_user(user_id=user_id)
+        if user:
+            return user
+        return None
 
 
 def construct_link_with_query(path: str, query_params: dict[str, str]) -> str:

src/sentry/utils/env.py

@@ -1,5 +1,4 @@
 import sys
-from enum import IntEnum
 
 from django.conf import settings
 
@@ -15,34 +14,3 @@ def is_split_db() -> bool:
         if db["NAME"] in {"region", "control"}:
             return True
     return False
-
-
-class AuthComponent(IntEnum):
-    API_KEY_BACKED_AUTH = 1
-    SENTRY_APP_BACKED_AUTH = 2
-    API_TOKEN_BACKED_AUTH = 3
-    ORG_AUTH_TOKEN_BACKED_AUTH = 4
-    EMAIL_BACKED_AUTH = 5
-    SOCIAL_BACKED_AUTH = 6
-
-
-def should_use_rpc_user(component: AuthComponent) -> bool:
-    from sentry import options
-    from sentry.silo import SiloMode
-
-    return (
-        SiloMode.get_current_mode() != SiloMode.MONOLITH
-        or options.get("hybrid_cloud.authentication.use_rpc_user") >= int(component)
-        or in_test_environment()
-    )
-
-
-def should_use_authenticated_token(component: AuthComponent) -> bool:
-    from sentry import options
-    from sentry.silo import SiloMode
-
-    return (
-        SiloMode.get_current_mode() != SiloMode.MONOLITH
-        or options.get("hybrid_cloud.authentication.use_authenticated_token") >= int(component)
-        or in_test_environment()
-    )

src/social_auth/backends/__init__.py

@@ -26,7 +26,6 @@ from requests_oauthlib import OAuth1
 
 from sentry.services.hybrid_cloud.user.service import user_service
 from sentry.utils import json
-from sentry.utils.env import AuthComponent, should_use_rpc_user
 from sentry.utils.http import absolute_uri
 from social_auth.exceptions import (
     AuthCanceled,
@@ -187,12 +186,10 @@ class SocialAuthBackend:
         Return user with given ID from the User model used by this backend.
         This is called by django.contrib.auth.middleware.
         """
-        if should_use_rpc_user(AuthComponent.SOCIAL_BACKED_AUTH):
-            user = user_service.get_user(user_id=user_id)
-            if user and user.is_active:
-                return user
-            return None
-        return UserSocialAuth.get_user(user_id)
+        user = user_service.get_user(user_id=user_id)
+        if user and user.is_active:
+            return user
+        return None
 
 
 class OAuthBackend(SocialAuthBackend):