sentry/tests/integration/test_api.py

from django.urls import reverse

from sentry.models import AuthIdentity, AuthProvider
from sentry.testutils import AuthProviderTestCase
from sentry.utils.auth import SSO_SESSION_KEY
from sentry.utils.linksign import generate_signed_link


class AuthenticationTest(AuthProviderTestCase):
    def test_sso_auth_required(self):
        user = self.create_user("foo@example.com", is_superuser=False)
        organization = self.create_organization(name="foo")
        team = self.create_team(name="bar", organization=organization)
        project = self.create_project(name="baz", organization=organization, teams=[team])
        member = self.create_member(user=user, organization=organization, teams=[team])
        setattr(member.flags, "sso:linked", True)
        member.save()
        event = self.store_event(data={}, project_id=project.id)
        group_id = event.group_id
        auth_provider = AuthProvider.objects.create(
            organization=organization, provider="dummy", flags=0
        )

        AuthIdentity.objects.create(auth_provider=auth_provider, user=user)

        self.login_as(user)

        paths = (
            f"/api/0/organizations/{organization.slug}/",
            f"/api/0/projects/{organization.slug}/{project.slug}/",
            f"/api/0/teams/{organization.slug}/{team.slug}/",
            f"/api/0/issues/{group_id}/",
            # this uses the internal API, which once upon a time was broken
            f"/api/0/issues/{group_id}/events/latest/",
        )

        for path in paths:
            # we should be redirecting the user to the authentication form as they
            # haven't verified this specific organization
            resp = self.client.get(path)
            assert resp.status_code == 401, (resp.status_code, resp.content)

        # superuser should still require SSO as they're a member of the org
        user.update(is_superuser=True)
        for path in paths:
            resp = self.client.get(path)
            assert resp.status_code == 401, (resp.status_code, resp.content)

        # XXX(dcramer): using internal API as exposing a request object is hard
        self.session[SSO_SESSION_KEY] = str(organization.id)
        self.save_session()

        # now that SSO is marked as complete, we should be able to access dash
        for path in paths:
            resp = self.client.get(path)
            assert resp.status_code == 200, (path, resp.status_code, resp.content)

    def test_sso_auth_required_signed_link(self):
        user = self.create_user("foo@example.com", is_superuser=False)
        organization = self.create_organization(name="foo")
        team = self.create_team(name="bar", organization=organization)
        project = self.create_project(name="baz", organization=organization, teams=[team])
        member = self.create_member(user=user, organization=organization, teams=[team])
        setattr(member.flags, "sso:linked", True)
        member.save()

        self.store_event(data={}, project_id=project.id)

        auth_provider = AuthProvider.objects.create(
            organization=organization, provider="dummy", flags=0
        )

        AuthIdentity.objects.create(auth_provider=auth_provider, user=user)

        self.login_as(user)

        unsigned_link = reverse(
            "sentry-api-0-project-fix-processing-issues",
            kwargs={"project_slug": project.slug, "organization_slug": organization.slug},
        )

        resp = self.client.get(unsigned_link)
        assert resp.status_code == 401, (resp.status_code, resp.content)

        signed_link = generate_signed_link(
            user,
            "sentry-api-0-project-fix-processing-issues",
            kwargs={"project_slug": project.slug, "organization_slug": organization.slug},
        )

        resp = self.client.get(signed_link)
        assert resp.status_code == 200