Use tunnel for sentry

Author: alexiri

astra_app/core/context_processors.py

@@ -1,7 +1,8 @@
 from email.utils import parseaddr
-from urllib.parse import urlsplit
 
 from django.conf import settings
+from django.contrib.staticfiles.storage import staticfiles_storage
+from django.urls import reverse
 
 from core.build_info import get_build_sha
 from core.membership import get_membership_review_badge_counts
@@ -43,33 +44,23 @@ def chat_networks(_request) -> dict[str, object]:
     return {"chat_networks": settings.CHAT_NETWORKS}
 
 
-def _sentry_browser_loader_src(dsn: str) -> str:
-    parsed = urlsplit(dsn)
-    public_key = parsed.username or ""
-    if not public_key:
-        return ""
-
-    # Use Sentry's loader script because this repo does not have a JS package build.
-    return f"https://js.sentry-cdn.com/{public_key}.min.js"
-
-
 def build_info(_request) -> dict[str, object]:
-    sentry_browser_loader_src = ""
+    sentry_browser_bundle_src = ""
     sentry_browser_config: dict[str, object] | None = None
     if settings.SENTRY_DSN:
-        sentry_browser_loader_src = _sentry_browser_loader_src(settings.SENTRY_DSN)
-        if sentry_browser_loader_src:
-            sentry_browser_config = {
-                "dsn": settings.SENTRY_DSN,
-                "environment": settings.SENTRY_ENVIRONMENT,
-                "release": settings.SENTRY_RELEASE,
-                "tracesSampleRate": settings.SENTRY_TRACES_SAMPLE_RATE,
-            }
+        sentry_browser_bundle_src = staticfiles_storage.url("core/vendor/sentry/bundle.tracing.min.js")
+        sentry_browser_config = {
+            "dsn": settings.SENTRY_DSN,
+            "environment": settings.SENTRY_ENVIRONMENT,
+            "release": settings.SENTRY_RELEASE,
+            "tracesSampleRate": settings.SENTRY_TRACES_SAMPLE_RATE,
+            "tunnel": reverse("sentry-browser-tunnel"),
+        }
 
     return {
         "build_sha": get_build_sha(),
         "default_from_email_address": parseaddr(settings.DEFAULT_FROM_EMAIL)[1].strip(),
-        "sentry_browser_loader_src": sentry_browser_loader_src,
+        "sentry_browser_bundle_src": sentry_browser_bundle_src,
         "sentry_browser_config": sentry_browser_config,
     }
 

astra_app/core/middleware.py

@@ -435,6 +435,7 @@ def __init__(self, get_response):
         self._allowed_prefixes: tuple[str, ...] = (
             settings.STATIC_URL,
             settings.MEDIA_URL,
+            "/_ci/",
             "/register",
             "/password-reset",
             "/admin/",

astra_app/core/static/core/vendor/sentry/bundle.tracing.min.js

@@ -18,26 +18,27 @@
   {% if not request.user.is_authenticated %}
     <link rel="stylesheet" href="{% static 'core/css/login.css' %}" />
   {% endif %}
-  {% if sentry_browser_loader_src and sentry_browser_config %}
+  {% if sentry_browser_bundle_src and sentry_browser_config %}
     {{ sentry_browser_config|json_script:"sentry-browser-config" }}
+    <script src="{{ sentry_browser_bundle_src }}"></script>
     <script>
-      window.sentryOnLoad = function () {
+      (function () {
         var configElement = document.getElementById("sentry-browser-config");
-        if (!configElement) {
+        if (!configElement || !(window.Sentry && window.Sentry.init)) {
           return;
         }
 
         var config = JSON.parse(configElement.textContent);
-        Sentry.init({
+        window.Sentry.init({
           dsn: config.dsn,
           environment: config.environment,
           release: config.release || undefined,
-          integrations: [Sentry.browserTracingIntegration()],
+          tunnel: config.tunnel,
+          integrations: [window.Sentry.browserTracingIntegration()],
           tracesSampleRate: config.tracesSampleRate
         });
-      };
+      })();
     </script>
-    <script src="{{ sentry_browser_loader_src }}" crossorigin="anonymous" data-lazy="no"></script>
   {% endif %}
   {% block extra_head %}{% endblock %}
 </head>

astra_app/core/templates/core/base.html

@@ -1,6 +1,7 @@
 from types import SimpleNamespace
 from unittest.mock import patch
 
+from django.contrib.staticfiles.storage import staticfiles_storage
 from django.test import SimpleTestCase, TestCase, override_settings
 
 from core.context_processors import build_info
@@ -14,12 +15,12 @@ class SentryBrowserContextTests(SimpleTestCase):
         SENTRY_RELEASE="build-123",
         SENTRY_TRACES_SAMPLE_RATE=0.25,
     )
-    def test_build_info_exposes_sentry_browser_loader_and_config(self) -> None:
+    def test_build_info_exposes_sentry_browser_bundle_and_config(self) -> None:
         context = build_info(SimpleNamespace())
 
         self.assertEqual(
-            context["sentry_browser_loader_src"],
-            "https://js.sentry-cdn.com/public.min.js",
+            context["sentry_browser_bundle_src"],
+            staticfiles_storage.url("core/vendor/sentry/bundle.tracing.min.js"),
         )
         self.assertEqual(
             context["sentry_browser_config"],
@@ -28,14 +29,15 @@ def test_build_info_exposes_sentry_browser_loader_and_config(self) -> None:
                 "environment": "staging",
                 "release": "build-123",
                 "tracesSampleRate": 0.25,
+                "tunnel": "/_ci/envelope/",
             },
         )
 
     @override_settings(SENTRY_DSN="")
     def test_build_info_omits_sentry_browser_config_without_dsn(self) -> None:
         context = build_info(SimpleNamespace())
 
-        self.assertEqual(context["sentry_browser_loader_src"], "")
+        self.assertEqual(context["sentry_browser_bundle_src"], "")
         self.assertIsNone(context["sentry_browser_config"])
 
 
@@ -51,7 +53,7 @@ def _login_as_freeipa(self, username: str) -> None:
         SENTRY_RELEASE="build-123",
         SENTRY_TRACES_SAMPLE_RATE=0.25,
     )
-    def test_profile_page_includes_sentry_browser_loader_and_config(self) -> None:
+    def test_profile_page_includes_sentry_browser_bundle_and_tunnel_config(self) -> None:
         username = "admin"
         self._login_as_freeipa(username)
 
@@ -71,10 +73,11 @@ def test_profile_page_includes_sentry_browser_loader_and_config(self) -> None:
         self.assertEqual(response.status_code, 200)
         self.assertContains(
             response,
-            'src="https://js.sentry-cdn.com/public.min.js"',
+            'src="/static/core/vendor/sentry/bundle.tracing.min.js"',
         )
         self.assertContains(response, 'id="sentry-browser-config"')
-        self.assertContains(response, "window.sentryOnLoad")
+        self.assertContains(response, "window.Sentry && window.Sentry.init")
         self.assertContains(response, '"environment": "staging"')
         self.assertContains(response, '"release": "build-123"')
-        self.assertContains(response, '"tracesSampleRate": 0.25')
+        self.assertContains(response, '"tracesSampleRate": 0.25')
+        self.assertContains(response, '"tunnel": "/_ci/envelope/"')

astra_app/core/tests/test_sentry_browser_templates.py

@@ -0,0 +1,62 @@
+from unittest.mock import Mock, patch
+
+import requests
+from django.test import SimpleTestCase, override_settings
+
+
+@override_settings(SENTRY_DSN="https://public@example.ingest.sentry.io/1")
+class SentryTunnelViewTests(SimpleTestCase):
+    def test_tunnel_url_is_wired(self) -> None:
+        response = self.client.get("/_ci/envelope/")
+
+        self.assertEqual(response.status_code, 405)
+
+    def test_tunnel_rejects_envelope_without_matching_dsn(self) -> None:
+        response = self.client.post(
+            "/_ci/envelope/",
+            data=b'{"dsn":"https://public@other.ingest.sentry.io/2"}\n{}',
+            content_type="application/x-sentry-envelope",
+        )
+
+        self.assertEqual(response.status_code, 400)
+        self.assertEqual(response.json(), {"ok": False, "error": "Invalid Sentry envelope DSN."})
+
+    def test_tunnel_forwards_matching_envelope(self) -> None:
+        upstream_response = Mock()
+        upstream_response.status_code = 200
+        upstream_response.content = b""
+        upstream_response.headers = {"Content-Type": "text/plain"}
+
+        envelope = b'{"dsn":"https://public@example.ingest.sentry.io/1"}\n{"type":"transaction"}\n{}'
+
+        with patch("core.views_sentry.requests.post", return_value=upstream_response) as post_mock:
+            response = self.client.post(
+                "/_ci/envelope/",
+                data=envelope,
+                content_type="application/x-sentry-envelope",
+            )
+
+        self.assertEqual(response.status_code, 200)
+        post_mock.assert_called_once_with(
+            "https://example.ingest.sentry.io/api/1/envelope/",
+            data=envelope,
+            headers={"Content-Type": "application/x-sentry-envelope"},
+            timeout=5,
+            allow_redirects=False,
+        )
+
+    def test_tunnel_returns_bad_gateway_when_upstream_fails(self) -> None:
+        envelope = b'{"dsn":"https://public@example.ingest.sentry.io/1"}\n{"type":"transaction"}\n{}'
+
+        with patch(
+            "core.views_sentry.requests.post",
+            side_effect=requests.RequestException("downstream failed"),
+        ):
+            response = self.client.post(
+                "/_ci/envelope/",
+                data=envelope,
+                content_type="application/x-sentry-envelope",
+            )
+
+        self.assertEqual(response.status_code, 502)
+        self.assertEqual(response.json(), {"ok": False, "error": "Failed to forward Sentry envelope."})

astra_app/core/tests/test_sentry_tunnel.py

@@ -12,6 +12,7 @@
     views_organizations,
     views_search,
     views_send_mail,
+    views_sentry,
     views_settings,
     views_static,
     views_templated_email,
@@ -21,6 +22,7 @@
 urlpatterns = [
     path("", views_users.home, name="home"),
     path("favicon.ico", RedirectView.as_view(url=staticfiles_storage.url("core/images/fav/favicon.ico"), permanent=True)),
+    path("_ci/envelope/", views_sentry.sentry_browser_tunnel, name="sentry-browser-tunnel"),
     path("users/", views_users.users, name="users"),
     path("users/grid/", views_users.users_grid, name="users-grid"),
     path("user/<str:username>/", views_users.user_profile, name="user-profile"),

astra_app/core/urls.py

@@ -0,0 +1,79 @@
+import json
+import logging
+from urllib.parse import urlsplit
+
+import requests
+from django.conf import settings
+from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.http import require_POST
+
+logger = logging.getLogger(__name__)
+
+_SENTRY_TUNNEL_TIMEOUT_SECONDS = 5
+
+
+def _parse_sentry_dsn(dsn: str) -> tuple[str, str, int | None, str, str] | None:
+    parsed = urlsplit(dsn)
+    project_id = parsed.path.strip("/")
+    if not parsed.scheme or not parsed.hostname or not parsed.username or not project_id:
+        return None
+
+    return (parsed.scheme, parsed.hostname, parsed.port, parsed.username, project_id)
+
+
+def _configured_sentry_envelope_url() -> str | None:
+    parsed_dsn = _parse_sentry_dsn(settings.SENTRY_DSN)
+    if parsed_dsn is None:
+        return None
+
+    scheme, hostname, port, _public_key, project_id = parsed_dsn
+    netloc = f"{hostname}:{port}" if port else hostname
+    return f"{scheme}://{netloc}/api/{project_id}/envelope/"
+
+
+def _read_envelope_dsn(request: HttpRequest) -> str | None:
+    if not request.body:
+        return None
+
+    header_line = request.body.split(b"\n", maxsplit=1)[0]
+    if not header_line:
+        return None
+
+    try:
+        header_payload = json.loads(header_line.decode("utf-8"))
+    except (UnicodeDecodeError, json.JSONDecodeError):
+        return None
+
+    dsn = header_payload.get("dsn")
+    return str(dsn).strip() if dsn else None
+
+
+@csrf_exempt
+@require_POST
+def sentry_browser_tunnel(request: HttpRequest) -> HttpResponse:
+    upstream_url = _configured_sentry_envelope_url()
+    expected_dsn = _parse_sentry_dsn(settings.SENTRY_DSN)
+    request_dsn = _parse_sentry_dsn(_read_envelope_dsn(request) or "")
+
+    if upstream_url is None or expected_dsn is None or request_dsn != expected_dsn:
+        return JsonResponse({"ok": False, "error": "Invalid Sentry envelope DSN."}, status=400)
+
+    try:
+        upstream_response = requests.post(
+            upstream_url,
+            data=request.body,
+            headers={"Content-Type": request.content_type or "application/x-sentry-envelope"},
+            timeout=_SENTRY_TUNNEL_TIMEOUT_SECONDS,
+            allow_redirects=False,
+        )
+    except requests.RequestException:
+        logger.warning("Failed to forward Sentry envelope", exc_info=True)
+        return JsonResponse({"ok": False, "error": "Failed to forward Sentry envelope."}, status=502)
+
+    response = HttpResponse(
+        content=upstream_response.content,
+        status=upstream_response.status_code,
+        content_type=upstream_response.headers.get("Content-Type", "text/plain"),
+    )
+    return response