Filter sentry requests

alexiri · alexiri · commit 5f90902db9a0 · 2026-04-18T12:01:49.000+02:00
diff --git a/astra_app/config/logging_filters.py b/astra_app/config/logging_filters.py
@@ -24,6 +24,10 @@ def _is_root_or_login_path(path: str) -> bool:
     )
 
 
+def _is_quiet_request_path(path: str) -> bool:
+    return path == "/_ci" or path.startswith("/_ci/")
+
+
 def _extract_exception_from_args(args: object) -> BaseException | None:
     if isinstance(args, BaseException):
         return args
@@ -77,6 +81,20 @@ def filter(self, record: logging.LogRecord) -> bool:
         return not _is_root_or_login_path(request_path)
 
 
+class QuietRequestPathFilter(logging.Filter):
+    def filter(self, record: logging.LogRecord) -> bool:
+        request_path: str | None = None
+        if hasattr(record, "request_path"):
+            request_path = str(record.request_path)
+        else:
+            request_path = _extract_request_path(record.getMessage())
+
+        if request_path is None:
+            return True
+
+        return not _is_quiet_request_path(request_path)
+
+
 class RequestContextFilter(logging.Filter):
     def filter(self, record: logging.LogRecord) -> bool:
         context = get_request_log_context()
diff --git a/astra_app/config/settings.py b/astra_app/config/settings.py
@@ -987,6 +987,9 @@ def _sentry_before_send(event: dict, hint: dict) -> dict | None:
         'hetrix_access': {
             '()': 'config.logging_filters.HetrixAccessFilter',
         },
+        'quiet_request_paths': {
+            '()': 'config.logging_filters.QuietRequestPathFilter',
+        },
         'request_context': {
             '()': 'config.logging_filters.RequestContextFilter',
         },
@@ -1016,14 +1019,14 @@ def _sentry_before_send(event: dict, hint: dict) -> dict | None:
         'core': {
             'handlers': ['console'],
             'level': 'DEBUG' if DEBUG else 'INFO',
-            'filters': ['request_context'],
+            'filters': ['request_context', 'quiet_request_paths'],
             'propagate': False,
         },
         # Structured app-level access logs enriched with request/user context.
         'astra.access': {
             'handlers': ['access_console'],
             'level': 'INFO',
-            'filters': ['health_endpoint', 'hetrix_access', 'request_context'],
+            'filters': ['health_endpoint', 'hetrix_access', 'request_context', 'quiet_request_paths'],
             'propagate': False,
         },
         # FreeIPA client libs can be noisy; keep them at INFO by default.
@@ -1037,14 +1040,14 @@ def _sentry_before_send(event: dict, hint: dict) -> dict | None:
         'django.request': {
             'handlers': ['console'],
             'level': 'DEBUG',
-            'filters': ['request_context'],
+            'filters': ['request_context', 'quiet_request_paths'],
             'propagate': False,
         },
         # Access logs from `runserver`.
         'django.server': {
             'handlers': ['console'],
             'level': 'WARNING',
-            'filters': ['health_endpoint', 'hetrix_access', 'request_context'],
+            'filters': ['health_endpoint', 'hetrix_access', 'request_context', 'quiet_request_paths'],
             'propagate': False,
         },
         # Django security events
diff --git a/astra_app/core/middleware.py b/astra_app/core/middleware.py
@@ -31,6 +31,10 @@
 _ACCESS_LOG_TEMPLATE = '%({x-forwarded-for}i)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"'
 
 
+def _should_skip_access_log(request_path: str) -> bool:
+    return request_path == "/_ci" or request_path.startswith("/_ci/")
+
+
 def _format_access_log_timestamp() -> str:
     return timezone.now().strftime("[%d/%b/%Y:%H:%M:%S %z]")
 
@@ -369,51 +373,52 @@ def __call__(self, request):
             duration_seconds = time.monotonic() - started_at
             duration_ms = int(round(duration_seconds * 1000))
             request.META["astra.duration_seconds"] = duration_seconds
-            status_code = response.status_code if response is not None else 500
-            if status_code >= 500:
-                outcome = "server_error"
-            elif status_code >= 400:
-                outcome = "client_error"
-            else:
-                outcome = "success"
-
-            extra: dict[str, int | str] = {
-                "event": "astra.http.access",
-                "component": "http",
-                "outcome": outcome,
-                "http_status": status_code,
-                "request_method": request.method,
-                "request_path": request.path,
-                "duration_ms": duration_ms,
-            }
-
-            request_query = str(request.META.get("QUERY_STRING") or "").strip()
-            if request_query:
-                extra["request_query"] = request_query
-
-            request_id = str(request.META.get("HTTP_X_REQUEST_ID") or "").strip()
-            if request_id:
-                extra["request_id"] = request_id
-
-            client_ip = _request_client_ip(request)
-            if client_ip:
-                extra["client_ip"] = client_ip
-
-            user_id = try_get_username_from_user(request.user) if request.user.is_authenticated else None
-            if user_id:
-                extra["user_id"] = user_id
-
-            if error is not None:
-                extra |= exception_log_fields(error)
-
-            access_atoms = _build_access_log_atoms(
-                request,
-                status_code=status_code,
-                response=response,
-                client_ip=client_ip,
-                user_id=user_id,
-            )
-            access_logger.info(_ACCESS_LOG_TEMPLATE, access_atoms, extra=extra)
+            if not _should_skip_access_log(request.path):
+                status_code = response.status_code if response is not None else 500
+                if status_code >= 500:
+                    outcome = "server_error"
+                elif status_code >= 400:
+                    outcome = "client_error"
+                else:
+                    outcome = "success"
+
+                extra: dict[str, int | str] = {
+                    "event": "astra.http.access",
+                    "component": "http",
+                    "outcome": outcome,
+                    "http_status": status_code,
+                    "request_method": request.method,
+                    "request_path": request.path,
+                    "duration_ms": duration_ms,
+                }
+
+                request_query = str(request.META.get("QUERY_STRING") or "").strip()
+                if request_query:
+                    extra["request_query"] = request_query
+
+                request_id = str(request.META.get("HTTP_X_REQUEST_ID") or "").strip()
+                if request_id:
+                    extra["request_id"] = request_id
+
+                client_ip = _request_client_ip(request)
+                if client_ip:
+                    extra["client_ip"] = client_ip
+
+                user_id = try_get_username_from_user(request.user) if request.user.is_authenticated else None
+                if user_id:
+                    extra["user_id"] = user_id
+
+                if error is not None:
+                    extra |= exception_log_fields(error)
+
+                access_atoms = _build_access_log_atoms(
+                    request,
+                    status_code=status_code,
+                    response=response,
+                    client_ip=client_ip,
+                    user_id=user_id,
+                )
+                access_logger.info(_ACCESS_LOG_TEMPLATE, access_atoms, extra=extra)
 
 
 class LoginRequiredMiddleware:
diff --git a/astra_app/core/tests/test_logging_filters.py b/astra_app/core/tests/test_logging_filters.py
@@ -13,9 +13,14 @@ def test_astra_access_logger_uses_access_and_context_filters(self) -> None:
         configured_filters = settings.LOGGING["loggers"]["astra.access"]["filters"]
         self.assertEqual(
             configured_filters,
-            ["health_endpoint", "hetrix_access", "request_context"],
+            ["health_endpoint", "hetrix_access", "request_context", "quiet_request_paths"],
         )
 
+    def test_core_and_django_request_loggers_use_quiet_request_path_filter(self) -> None:
+        self.assertIn("quiet_request_paths", settings.LOGGING["loggers"]["core"]["filters"])
+        self.assertIn("quiet_request_paths", settings.LOGGING["loggers"]["django.request"]["filters"])
+        self.assertIn("quiet_request_paths", settings.LOGGING["loggers"]["django.server"]["filters"])
+
     def test_django_server_logger_suppresses_info_access_lines(self) -> None:
         self.assertEqual(settings.LOGGING["loggers"]["django.server"]["level"], "WARNING")
 
@@ -138,6 +143,50 @@ def test_hetrix_access_filter_keeps_other_paths_and_agents(self) -> None:
         )
         self.assertTrue(filt.filter(non_hetrix_root))
 
+    def test_quiet_request_path_filter_drops_ci_tunnel_logs_from_message(self) -> None:
+        from config.logging_filters import QuietRequestPathFilter
+
+        filt = QuietRequestPathFilter()
+
+        record_tunnel = logging.LogRecord(
+            name="django.server",
+            level=logging.INFO,
+            pathname=__file__,
+            lineno=1,
+            msg='- - - [27/Jan/2026:10:49:08 +0000] "POST /_ci/envelope/ HTTP/1.1" 200 0 "-" "sentry"',
+            args=(),
+            exc_info=None,
+        )
+        self.assertFalse(filt.filter(record_tunnel))
+
+        record_other = logging.LogRecord(
+            name="django.server",
+            level=logging.INFO,
+            pathname=__file__,
+            lineno=1,
+            msg='- - - [27/Jan/2026:10:49:08 +0000] "POST /users/ HTTP/1.1" 200 0 "-" "browser"',
+            args=(),
+            exc_info=None,
+        )
+        self.assertTrue(filt.filter(record_other))
+
+    def test_quiet_request_path_filter_drops_ci_tunnel_logs_from_request_context(self) -> None:
+        from config.logging_filters import QuietRequestPathFilter
+
+        filt = QuietRequestPathFilter()
+        record = logging.LogRecord(
+            name="core.views_sentry",
+            level=logging.WARNING,
+            pathname=__file__,
+            lineno=1,
+            msg="Failed to forward Sentry envelope",
+            args=(),
+            exc_info=None,
+        )
+        record.request_path = "/_ci/envelope/"
+
+        self.assertFalse(filt.filter(record))
+
     def test_request_context_filter_populates_searchable_log_fields(self) -> None:
         from config.logging_filters import RequestContextFilter
 
diff --git a/astra_app/core/tests/test_middleware_freeipa_restore.py b/astra_app/core/tests/test_middleware_freeipa_restore.py
@@ -382,3 +382,15 @@ def _boom(_request):
         self.assertEqual(extra["outcome"], "server_error")
         self.assertEqual(extra["error_type"], "RuntimeError")
         self.assertEqual(extra["error_message"], "middleware boom")
+
+    def test_structured_access_log_middleware_skips_sentry_tunnel_requests(self):
+        factory = RequestFactory()
+        request = factory.post("/_ci/envelope/", data=b"{}", content_type="application/x-sentry-envelope")
+        request.user = AnonymousUser()
+
+        with patch("core.middleware.access_logger.info", autospec=True) as mocked_info:
+            middleware = StructuredAccessLogMiddleware(lambda _req: HttpResponse(status=200))
+            response = middleware(request)
+
+        self.assertEqual(response.status_code, 200)
+        mocked_info.assert_not_called()
