Merge branch 'master' into ref/relay-config-endpoint

* master: (115 commits)
  feat: Update to JS SDK 5.6.0-beta.1 + 0.10.2 sentry-python (#14116)
  fix(apm): Whitelist dev.getsentry.net for local development (#14117)
  test(datasets): Make Sentry use generic test functions in Snuba (#14111)
  ref(suspect-commits): Add text changes to empty state (#14121)
  build: Switch to psycopg2-binary
  feat(api): Add option to fetch Organization details without Pr… (#13925)
  ref: Remove EventDetails endpoint (#14107)
  test(ui): Mock the onboarding learn more video (#14108)
  tests(acceptance): Add tests for resolving issues in Issues Li… (#14069)
  feat(ui): Add basic templates for Incident Rules in settings (#14112)
  feat(eventsv2) Add basic transaction list (#14103)
  ref(environments) Optimize environment queries (#14102)
  fix(events-v2) Add additional user attributes to the user column (#14101)
  fix: Don't start pageload transaction (#14115)
  feat: APM Sentry Frontend (#14027)
  ref(onboarding): Fix install promprt URL (#14106)
  fix(app-platform): Allow GET requests for published apps (#14109)
  feat: Update Group.get_latest_event to use Snuba event (#14039)
  ref(onboarding): Rename wizardNew -> onboarding (#14104)
  feat(apm): Update props to address proptype warnings for new transaction attributes (SEN-800) (#14040)
  ...

Author: jan-auer

.yarnrc

@@ -1,2 +1,7 @@
-yarn-path "./bin/yarn"
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
 disable-self-update-check true
+lastUpdateCheck 1562193150687
+yarn-path "./bin/yarn"

README.rst

@@ -2,7 +2,9 @@
 
    <p align="center">
      <p align="center">
-       <img src="https://sentry-brand.storage.googleapis.com/sentry-logo-black.png" alt="Sentry" height="72"
+       <a href="https://sentry.io/?utm_source=github&utm_medium=logo" target="_blank">
+         <img src="https://sentry-brand.storage.googleapis.com/sentry-logo-black.png" alt="Sentry" height="72">
+       </a>
      </p>
      <p align="center">
        Users and logs provide clues. Sentry provides answers.

bin/yarn

@@ -19,6 +19,9 @@
   status = 200
   force = true
 
+  # Pass referer as sentry.io to avoid CSRF validation errors.
+  headers = {Referer = "https://sentry.io/"}
+
 [[redirects]]
   from = "/*"
   to = "/index.html"

netlify.toml

@@ -18,11 +18,18 @@
     "@babel/preset-react": "^7.0.0",
     "@babel/preset-typescript": "^7.3.3",
     "@babel/runtime": "^7.0.0",
-    "@sentry/browser": "^5.4.2",
-    "@sentry/integrations": "^5.4.2",
+    "@sentry/browser": "5.6.0-beta.1",
+    "@sentry/integrations": "5.6.0-beta.1",
     "@sentry/typescript": "^5.3.0",
     "@types/lodash": "^4.14.134",
-    "@types/react-dom": "^16.8.4",
+    "@types/moment-timezone": "^0.5.12",
+    "@types/papaparse": "^4.5.11",
+    "@types/react": "^16.7.0",
+    "@types/react-bootstrap": "^0.32.19",
+    "@types/react-document-title": "^2.0.3",
+    "@types/react-dom": "^16.7.0",
+    "@types/react-router": "^3.0.20",
+    "@types/react-virtualized": "^9.20.1",
     "algoliasearch": "^3.32.0",
     "babel-core": "^7.0.0-bridge.0",
     "babel-loader": "^8.0.0",

package.json

@@ -37,7 +37,7 @@ percy>=1.1.2
 petname>=2.0,<2.1
 Pillow>=3.2.0,<=4.2.1
 progressbar2>=3.10,<3.11
-psycopg2>=2.6.0,<2.8.0
+psycopg2-binary>=2.6.0,<2.8.0
 PyJWT>=1.5.0,<1.6.0
 pytest-django>=2.9.1,<2.10.0
 pytest-html>=1.9.0,<1.10.0
@@ -56,7 +56,7 @@ requests-oauthlib==0.3.3
 requests[security]>=2.20.0,<2.21.0
 selenium==3.141.0
 semaphore>=0.4.38,<0.5.0
-sentry-sdk>=0.10.0
+sentry-sdk>=0.10.2
 setproctitle>=1.1.7,<1.2.0
 simplejson>=3.2.0,<3.9.0
 six>=1.10.0,<1.11.0

requirements-base.txt

@@ -6,3 +6,4 @@ pytest-timeout==1.2.1
 pytest-xdist>=1.18.0,<1.19.0
 responses>=0.8.1,<0.9.0
 sqlparse==0.1.19
+werkzeug==0.15.5

requirements-test.txt

@@ -97,20 +97,20 @@ class SentrySDistCommand(SDistCommand):
 
 class SentryBuildCommand(BuildCommand):
     def run(self):
-        BuildCommand.run(self)
         if not IS_LIGHT_BUILD:
             self.run_command('build_integration_docs')
             self.run_command('build_assets')
             self.run_command('build_js_sdk_registry')
+        BuildCommand.run(self)
 
 
 class SentryDevelopCommand(DevelopCommand):
     def run(self):
-        DevelopCommand.run(self)
         if not IS_LIGHT_BUILD:
             self.run_command('build_integration_docs')
             self.run_command('build_assets')
             self.run_command('build_js_sdk_registry')
+        DevelopCommand.run(self)
 
 
 cmdclass = {

setup.py

@@ -1,10 +1,3 @@
-"""
-sentry
-~~~~~~
-
-:copyright: (c) 2010-2014 by the Sentry Team, see AUTHORS for more details.
-:license: BSD, see LICENSE for more details.
-"""
 from __future__ import absolute_import
 
 import os

src/sentry/__init__.py

@@ -1,10 +1,3 @@
-"""
-sentry
-~~~~~~
-
-:copyright: (c) 2015 by the Sentry Team, see AUTHORS for more details.
-:license: BSD, see LICENSE for more details.
-"""
 from __future__ import absolute_import
 
 from .runner import main

src/sentry/__main__.py

@@ -0,0 +1,16 @@
+from __future__ import absolute_import
+
+from sentry import analytics
+
+
+class SentryAppInstallationUpdatedEvent(analytics.Event):
+    type = 'sentry_app_installation.updated'
+
+    attributes = (
+        analytics.Attribute('sentry_app_installation_id'),
+        analytics.Attribute('sentry_app_id'),
+        analytics.Attribute('organization_id'),
+    )
+
+
+analytics.register(SentryAppInstallationUpdatedEvent)

src/sentry/analytics/events/sentry_app_installation_updated.py

@@ -45,7 +45,16 @@ def wrapped(self, *args, **kwargs):
 
 class SentryAppsPermission(SentryPermission):
     scope_map = {
-        'GET': (),  # Public endpoint.
+        # GET is ideally a public endpoint but for now we are allowing for
+        # anyone who has member permissions or above.
+        'GET': ('event:read',
+                'event:write',
+                'event:admin',
+                'project:releases',
+                'project:read',
+                'org:read',
+                'member:read',
+                'team:read',),
         'POST': ('org:read', 'org:integrations', 'org:write', 'org:admin'),
     }
 
@@ -118,12 +127,25 @@ class SentryAppPermission(SentryPermission):
     }
 
     published_scope_map = {
-        'GET': (),  # Public endpoint.
+        # GET is ideally a public endpoint but for now we are allowing for
+        # anyone who has member permissions or above.
+        'GET': ('event:read',
+                'event:write',
+                'event:admin',
+                'project:releases',
+                'project:read',
+                'org:read',
+                'member:read',
+                'team:read',),
         'PUT': ('org:write', 'org:admin'),
         'POST': ('org:write', 'org:admin'),
         'DELETE': ('org:admin'),
     }
 
+    @property
+    def scope_map(self):
+        return self.published_scope_map
+
     def has_object_permission(self, request, view, sentry_app):
         if not hasattr(request, 'user') or not request.user:
             return False
@@ -138,6 +160,12 @@ def has_object_permission(self, request, view, sentry_app):
             if sentry_app.owner not in request.user.get_orgs():
                 raise Http404
 
+        # TODO(meredith): make a better way to allow for public
+        # endpoints. we can't use ensure_scoped_permission now
+        # that the public endpoint isn't denoted by '()'
+        if sentry_app.is_published and request.method == 'GET':
+            return True
+
         return ensure_scoped_permission(
             request,
             self._scopes_for_sentry_app(sentry_app).get(request.method),
@@ -227,6 +255,12 @@ class SentryAppInstallationPermission(SentryPermission):
         'POST': ('org:integrations', 'event:write', 'event:admin'),
     }
 
+    def has_permission(self, request, *args, **kwargs):
+        # To let the app mark the installation as installed, we don't care about permissions
+        if request.user.is_sentry_app and request.method == 'PUT':
+            return True
+        return super(SentryAppInstallationPermission, self).has_permission(request, *args, **kwargs)
+
     def has_object_permission(self, request, view, installation):
         if not hasattr(request, 'user') or not request.user:
             return False
@@ -236,6 +270,10 @@ def has_object_permission(self, request, view, installation):
         if is_active_superuser(request):
             return True
 
+        # if user is an app, make sure it's for that same app
+        if request.user.is_sentry_app:
+            return request.user == installation.sentry_app.proxy_user
+
         if installation.organization not in request.user.get_orgs():
             raise Http404
 

src/sentry/api/bases/sentryapps.py

@@ -11,7 +11,7 @@
 from sentry.api.base import Endpoint, SessionAuthentication
 from sentry.api.decorators import sudo_required
 from sentry.api.serializers import serialize
-from sentry.api.serializers.models.organization import DetailedOrganizationSerializer
+from sentry.api.serializers.models.organization import DetailedOrganizationSerializerWithProjectsAndTeams
 from sentry.utils.signing import unsign
 from sentry.models import (
     AuditLogEntryEvent, OrganizationMember, Organization, OrganizationStatus, Team, Project
@@ -70,7 +70,7 @@ def get(self, request):
             'organizations': serialize(
                 list(organizations),
                 request.user,
-                DetailedOrganizationSerializer(),
+                DetailedOrganizationSerializerWithProjectsAndTeams(),
                 access=request.access
             ),
             'project': {

src/sentry/api/endpoints/accept_project_transfer.py

@@ -35,6 +35,9 @@ def get(self, request, *args, **kwargs):
         # we always reset the state on GET so you dont end up at an odd location
         auth.initiate_login(request, next_uri)
 
+        # Auth login verifies the test cookie is set
+        request.session.set_test_cookie()
+
         # Single org mode -- send them to the org-specific handler
         if settings.SENTRY_SINGLE_ORGANIZATION:
             org = Organization.get_default()
@@ -55,26 +58,13 @@ def respond_authenticated(self, request):
         next_uri = self.get_next_uri(request)
 
         if not auth.is_valid_redirect(next_uri, host=request.get_host()):
-            next_uri = self.org_redirect_url(request)
+            active_org = self.get_active_organization(request)
+            next_uri = auth.get_org_redirect_url(request, active_org)
 
         return Response({
             'nextUri': next_uri,
         })
 
-    def org_redirect_url(self, request):
-        from sentry import features
-
-        organization = self.get_active_organization(request)
-        if organization:
-            return organization.get_url()
-
-        if not features.has('organizations:create'):
-            # TODO(dcramer): deal with case when the user cannot create orgs.
-            # This will likely cause an infinite loop right now.
-            return '/auth/login'
-
-        return '/organizations/new/'
-
     def get_next_uri(self, request):
         next_uri_fallback = None
         if request.session.get('_next') is not None:

src/sentry/api/endpoints/auth_config.py

@@ -0,0 +1,88 @@
+from __future__ import absolute_import
+
+from rest_framework.response import Response
+
+from sentry.app import ratelimiter
+from sentry.utils import auth, metrics
+from sentry.utils.hashlib import md5_text
+from sentry.api.base import Endpoint
+from sentry.api.serializers.base import serialize
+from sentry.api.serializers.models.user import DetailedUserSerializer
+from sentry.web.forms.accounts import AuthenticationForm
+from sentry.web.frontend.base import OrganizationMixin
+
+
+class AuthLoginEndpoint(Endpoint, OrganizationMixin):
+    # Disable authentication and permission requirements.
+    permission_classes = []
+
+    def post(self, request, organization=None, *args, **kwargs):
+        """
+        Process a login request via username/password. SSO login is handled
+        elsewhere.
+        """
+        login_form = AuthenticationForm(request, request.DATA)
+
+        # Rate limit logins
+        is_limited = ratelimiter.is_limited(
+            u'auth:login:username:{}'.
+            format(md5_text(request.DATA.get('username').lower()).hexdigest()),
+            limit=10,
+            window=60,  # 10 per minute should be enough for anyone
+        )
+
+        if is_limited:
+            errors = {
+                '__all__': [login_form.error_messages['rate_limited']]
+            }
+            metrics.incr(
+                'login.attempt',
+                instance='rate_limited',
+                skip_internal=True,
+                sample_rate=1.0
+            )
+
+            return self.respond_with_error(errors)
+
+        if not login_form.is_valid():
+            metrics.incr(
+                'login.attempt',
+                instance='failure',
+                skip_internal=True,
+                sample_rate=1.0
+            )
+            return self.respond_with_error(login_form.errors)
+
+        user = login_form.get_user()
+
+        auth.login(
+            request,
+            user,
+            organization_id=organization.id if organization else None,
+        )
+        metrics.incr(
+            'login.attempt',
+            instance='success',
+            skip_internal=True,
+            sample_rate=1.0
+        )
+
+        if not user.is_active:
+            return Response({
+                'nextUri': '/auth/reactivate/',
+                'user': serialize(user, user, DetailedUserSerializer()),
+            })
+
+        active_org = self.get_active_organization(request)
+        redirect_url = auth.get_org_redirect_url(request, active_org)
+
+        return Response({
+            'nextUri': auth.get_login_redirect(request, redirect_url),
+            'user': serialize(user, user, DetailedUserSerializer()),
+        })
+
+    def respond_with_error(self, errors):
+        return Response({
+            'detail': 'Login attempt failed',
+            'errors': errors,
+        }, status=400)