kmlabz/sentry-onpremise
kmlabz/sentry-onpremise
Archived
2
0
Fork 0
Code Pull Requests Releases Activity

ref(relay): Remove PK and rely on INTERNAL_IPS (#572)

Browse Source 
This patch adds `INTERNAL_IPS` definition to `sentry.conf.py` by sniffing the network from eth0 and relies on this for trusted Relays instead of the ALLOWLISTED PKs. This removes the necessity of syncing Relay PKs to `sentry.conf.py`.

This PR needs getsentry/sentry#19798 to work.
This commit is contained in:
Burak Yigit Kaya 2020-07-10 23:53:50 +03:00 committed by GitHub
parent 9d44b99c55
commit 73213bc51f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 32 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -79,4 +79,5 @@ sentry/config.yml
sentry/*.bak sentry/*.bak
sentry/requirements.txt sentry/requirements.txt
relay/credentials.json relay/credentials.json
relay/config.yml
symbolicator/config.yml symbolicator/config.yml

14
install.sh
View File

@ -97,6 +97,7 @@ ensure_file_from_example $SENTRY_CONFIG_PY
ensure_file_from_example $SENTRY_CONFIG_YML ensure_file_from_example $SENTRY_CONFIG_YML
ensure_file_from_example $SENTRY_EXTRA_REQUIREMENTS ensure_file_from_example $SENTRY_EXTRA_REQUIREMENTS
ensure_file_from_example $SYMBOLICATOR_CONFIG_YML ensure_file_from_example $SYMBOLICATOR_CONFIG_YML
ensure_file_from_example $RELAY_CONFIG_YML
if grep -xq "system.secret-key: '!!changeme!!'" $SENTRY_CONFIG_YML ; then if grep -xq "system.secret-key: '!!changeme!!'" $SENTRY_CONFIG_YML ; then
echo "" echo ""
@ -245,19 +246,6 @@ if [ ! -f "$RELAY_CREDENTIALS_JSON" ]; then
echo "Relay credentials written to $RELAY_CREDENTIALS_JSON" echo "Relay credentials written to $RELAY_CREDENTIALS_JSON"
fi fi
RELAY_CREDENTIALS=$(sed -n 's/^.*"public_key"[[:space:]]*:[[:space:]]*"\([a-zA-Z0-9_-]\{1,\}\)".*$/\1/p' "$RELAY_CREDENTIALS_JSON")
if [ -z "$RELAY_CREDENTIALS" ]; then
>&2 echo "FAIL: Cannot read credentials back from $RELAY_CREDENTIALS_JSON."
>&2 echo " Please ensure this file is readable and contains valid credentials."
>&2 echo ""
exit 1
fi
if ! grep -q "\"$RELAY_CREDENTIALS\"" "$SENTRY_CONFIG_PY"; then
echo "SENTRY_RELAY_WHITELIST_PK = (SENTRY_RELAY_WHITELIST_PK or []) + ([\"$RELAY_CREDENTIALS\"])" >> "$SENTRY_CONFIG_PY"
echo "Relay public key written to $SENTRY_CONFIG_PY"
echo ""
fi
cleanup cleanup

1
relay/config.yml → relay/config.example.yml
View File

@ -1,4 +1,3 @@
---
relay: relay:
upstream: "http://web:9000/" upstream: "http://web:9000/"
host: 0.0.0.0 host: 0.0.0.0

30
sentry/sentry.conf.example.py
View File

@ -3,6 +3,36 @@
from sentry.conf.server import * # NOQA from sentry.conf.server import * # NOQA
# Generously adapted from pynetlinux: https://git.io/JJmga
def get_internal_network():
import ctypes
import fcntl
import math
import socket
import struct
iface = 'eth0'
sockfd = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
ifreq = struct.pack('16sH14s', iface, socket.AF_INET, b'\x00' * 14)
try:
ip = struct.unpack(
"!I", struct.unpack('16sH2x4s8x', fcntl.ioctl(sockfd, 0x8915, ifreq))[2]
)[0]
netmask = socket.ntohl(
struct.unpack('16sH2xI8x', fcntl.ioctl(sockfd, 0x891B, ifreq))[2]
)
except IOError:
return ()
base = socket.inet_ntoa(struct.pack("!I", ip & netmask))
netmask_bits = 32 - int(round(math.log(ctypes.c_uint32(~netmask).value + 1, 2), 1))
return ('{0:s}/{1:d}'.format(base, netmask_bits),)
INTERNAL_IPS = get_internal_network()
INTERNAL_SYSTEM_IPS = INTERNAL_IPS
DATABASES = { DATABASES = {
"default": { "default": {
"ENGINE": "sentry.db.postgres", "ENGINE": "sentry.db.postgres",