From 79a0a97d18f22d521a09503d3c5ac07f37cce060 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Thu, 9 Jul 2020 23:58:10 +0300 Subject: [PATCH 1/2] ref(relay): Remove PK and rely on INTERNAL_IPS This patch adds INTERNAL_IPS definition to sentry.conf.py by sniffing the network from eth0 and relies on this for trusted Relays instead of the ALLOWLISTED PKs. This removes the necessity of generating and syncing Relay PKs. --- .gitignore | 1 + install.sh | 14 +----------- relay/{config.yml => config.example.yml} | 1 - sentry/sentry.conf.example.py | 29 ++++++++++++++++++++++++ 4 files changed, 31 insertions(+), 14 deletions(-) rename relay/{config.yml => config.example.yml} (98%) diff --git a/.gitignore b/.gitignore index 3f2261c8fea..b8ee807d527 100644 --- a/.gitignore +++ b/.gitignore @@ -79,4 +79,5 @@ sentry/config.yml sentry/*.bak sentry/requirements.txt relay/credentials.json +relay/config.yml symbolicator/config.yml diff --git a/install.sh b/install.sh index f9e91c4d872..aea57a6814b 100755 --- a/install.sh +++ b/install.sh @@ -97,6 +97,7 @@ ensure_file_from_example $SENTRY_CONFIG_PY ensure_file_from_example $SENTRY_CONFIG_YML ensure_file_from_example $SENTRY_EXTRA_REQUIREMENTS ensure_file_from_example $SYMBOLICATOR_CONFIG_YML +ensure_file_from_example $RELAY_CONFIG_YML if grep -xq "system.secret-key: '!!changeme!!'" $SENTRY_CONFIG_YML ; then echo "" @@ -245,19 +246,6 @@ if [ ! -f "$RELAY_CREDENTIALS_JSON" ]; then echo "Relay credentials written to $RELAY_CREDENTIALS_JSON" fi -RELAY_CREDENTIALS=$(sed -n 's/^.*"public_key"[[:space:]]*:[[:space:]]*"\([a-zA-Z0-9_-]\{1,\}\)".*$/\1/p' "$RELAY_CREDENTIALS_JSON") -if [ -z "$RELAY_CREDENTIALS" ]; then - >&2 echo "FAIL: Cannot read credentials back from $RELAY_CREDENTIALS_JSON." - >&2 echo " Please ensure this file is readable and contains valid credentials." - >&2 echo "" - exit 1 -fi - -if ! grep -q "\"$RELAY_CREDENTIALS\"" "$SENTRY_CONFIG_PY"; then - echo "SENTRY_RELAY_WHITELIST_PK = (SENTRY_RELAY_WHITELIST_PK or []) + ([\"$RELAY_CREDENTIALS\"])" >> "$SENTRY_CONFIG_PY" - echo "Relay public key written to $SENTRY_CONFIG_PY" - echo "" -fi cleanup diff --git a/relay/config.yml b/relay/config.example.yml similarity index 98% rename from relay/config.yml rename to relay/config.example.yml index da00363fba7..f54c9348ea7 100644 --- a/relay/config.yml +++ b/relay/config.example.yml @@ -1,4 +1,3 @@ ---- relay: upstream: "http://web:9000/" host: 0.0.0.0 diff --git a/sentry/sentry.conf.example.py b/sentry/sentry.conf.example.py index 05862cbd405..07ccaa287f2 100644 --- a/sentry/sentry.conf.example.py +++ b/sentry/sentry.conf.example.py @@ -3,6 +3,35 @@ from sentry.conf.server import * # NOQA + +# Generously adapted from pynetlinux: https://git.io/JJmga +def get_internal_network(): + import ctypes + import fcntl + import math + import socket + import struct + + iface = 'eth0' + sockfd = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + ifreq = struct.pack('16sH14s', iface, socket.AF_INET, b'\x00' * 14) + + try: + ip = struct.unpack( + "!I", struct.unpack('16sH2x4s8x', fcntl.ioctl(sockfd, 0x8915, ifreq))[2] + )[0] + netmask = socket.ntohl( + struct.unpack('16sH2xI8x', fcntl.ioctl(sockfd, 0x891B, ifreq))[2] + ) + except IOError: + return () + base = socket.inet_ntoa(struct.pack("!I", ip & netmask)) + netmask_bits = 32 - int(round(math.log(ctypes.c_uint32(~netmask).value + 1, 2), 1)) + return ('{0:s}/{1:d}'.format(base, netmask_bits),) + + +INTERNAL_IPS = get_internal_network() + DATABASES = { "default": { "ENGINE": "sentry.db.postgres", From 988596581bac49f9cbab283a2fa5b1e8c1de7ade Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Fri, 10 Jul 2020 21:03:06 +0300 Subject: [PATCH 2/2] set INTERNAL_SYSTEM_IPS to INTERNAL_IPS --- sentry/sentry.conf.example.py | 1 + 1 file changed, 1 insertion(+) diff --git a/sentry/sentry.conf.example.py b/sentry/sentry.conf.example.py index 07ccaa287f2..7116f9c7337 100644 --- a/sentry/sentry.conf.example.py +++ b/sentry/sentry.conf.example.py @@ -31,6 +31,7 @@ def get_internal_network(): INTERNAL_IPS = get_internal_network() +INTERNAL_SYSTEM_IPS = INTERNAL_IPS DATABASES = { "default": {