fix(vercel): tighten internal integration scopes to org:ci

src/sentry/auth/access.py

@@ -43,6 +43,10 @@
     "from_rpc_member",
 )
 
+# These scopes are not represented in organization member roles, but auth tokens
+# still need to retain them when request access is derived from the token.
+NON_ROLE_TOKEN_SCOPES = frozenset({"org:ci", "project:distribution"})
+
 
 def has_role_in_organization(role: str, organization: Organization, user_id: int) -> bool:
     query = OrganizationMember.objects.filter(
@@ -193,6 +197,18 @@ def has_any_project_scope(self, project: Project, scopes: Collection[str]) -> bo
         pass
 
 
+def _intersect_member_and_token_scopes(
+    member_scopes: Collection[str], token_scopes: Iterable[str] | None
+) -> frozenset[str]:
+    if token_scopes is None:
+        return frozenset(member_scopes)
+
+    requested_scopes = frozenset(token_scopes)
+    return (requested_scopes & frozenset(member_scopes)) | (
+        requested_scopes & NON_ROLE_TOKEN_SCOPES
+    )
+
+
 @dataclass
 class DbAccess(Access):
     # TODO(dcramer): this is still a little gross, and ideally backend access
@@ -440,8 +456,9 @@ def scopes(self) -> frozenset[str]:
         if self.scopes_upper_bound is None:
             return frozenset(self.rpc_user_organization_context.member.scopes)
 
-        return frozenset(self.rpc_user_organization_context.member.scopes) & frozenset(
-            self.scopes_upper_bound
+        return _intersect_member_and_token_scopes(
+            self.rpc_user_organization_context.member.scopes,
+            self.scopes_upper_bound,
         )
 
     # TODO(cathy): remove this
@@ -1133,10 +1150,7 @@ def from_member(
     is_superuser: bool = False,
     is_staff: bool = False,
 ) -> Access:
-    if scopes is not None:
-        scope_intersection = frozenset(scopes) & member.get_scopes()
-    else:
-        scope_intersection = member.get_scopes()
+    scope_intersection = _intersect_member_and_token_scopes(member.get_scopes(), scopes)
 
     if (is_superuser or is_staff) and member.user_id is not None:
         # "permissions" is a bit of a misnomer -- these are all admin level permissions, and the intent is that if you

src/sentry/conf/server.py

@@ -1919,6 +1919,12 @@ def custom_parameter_sort(parameter: dict) -> tuple[str, int]:
         ("org:write", "Read and write access to organization details."),
         ("org:read", "Read access to organization details."),
     ),
+    (
+        (
+            "org:ci",
+            "Access to CI workflows including source map uploads, release creation, and code mappings.",
+        ),
+    ),
     (
         (
             "org:integrations",

src/sentry/integrations/vercel/integration.py

@@ -492,7 +492,7 @@ def post_install(
             is_internal=True,
             verify_install=False,
             overview=internal_integration_overview.strip(),
-            scopes=["project:releases", "project:read", "project:write"],
+            scopes=["org:ci"],
         ).run(user=user)
         sentry_app_installation = SentryAppInstallation.objects.get(sentry_app=sentry_app)
         SentryAppInstallationForProvider.objects.create(

src/sentry/models/apiscopes.py

@@ -33,7 +33,7 @@ class ApiScopes(Sequence):
 
     event = (("event:read"), ("event:write"), ("event:admin"))
 
-    org = (("org:read"), ("org:write"), ("org:integrations"), ("org:admin"))
+    org = (("org:read"), ("org:write"), ("org:integrations"), ("org:admin"), ("org:ci"))
 
     member = (("member:read"), ("member:write"), ("member:admin"), ("member:invite"))
 
@@ -84,6 +84,7 @@ class Meta:
             "org:read": bool,
             "org:write": bool,
             "org:admin": bool,
+            "org:ci": bool,
             "member:read": bool,
             "member:write": bool,
             "member:admin": bool,

tests/sentry/api/endpoints/test_api_tokens.py

@@ -65,6 +65,14 @@ def test_simple(self) -> None:
         assert not token.refresh_token
         assert token.get_scopes() == ["event:read"]
 
+    def test_ci_scope(self) -> None:
+        self.login_as(self.user)
+        url = reverse("sentry-api-0-api-tokens")
+        response = self.client.post(url, data={"scopes": ["org:ci"]})
+        assert response.status_code == 201
+        token = ApiToken.objects.get(user=self.user)
+        assert token.get_scopes() == ["org:ci"]
+
     def test_never_cache(self) -> None:
         self.login_as(self.user)
         url = reverse("sentry-api-0-api-tokens")

tests/sentry/api/endpoints/test_organization_releases.py

@@ -2123,6 +2123,74 @@ def test_org_auth_token(self) -> None:
         assert org_token.date_last_used is not None
         assert org_token.project_last_used_id == project1.id
 
+    def test_sentry_app_installation_token_with_org_ci_scope(self) -> None:
+        """
+        We switched to org:ci for Vercel SentryApp in PR #113394 but the
+        existing webhook tests didn't test for scopes specifically.
+        """
+        user = self.create_user(is_staff=False, is_superuser=False)
+        org = self.create_organization()
+        org.flags.allow_joinleave = False
+        org.save()
+
+        team = self.create_team(organization=org)
+        project = self.create_project(teams=[team], organization=org)
+
+        url = reverse(
+            "sentry-api-0-organization-releases",
+            kwargs={"organization_id_or_slug": org.slug},
+        )
+
+        sentry_app = self.create_internal_integration(
+            name="Test Vercel Internal Integration",
+            organization=org,
+            user=user,
+            scopes=["org:ci"],
+        )
+        token = self.create_internal_integration_token(user=user, internal_integration=sentry_app)
+
+        with outbox_runner():
+            response = self.client.post(
+                url,
+                data={"version": "1.2.1", "projects": [project.slug]},
+                HTTP_AUTHORIZATION=f"Bearer {token.token}",
+            )
+        assert response.status_code == 201, response.content
+        assert Release.objects.filter(organization_id=org.id, version="1.2.1").exists()
+
+        app_no_scope = self.create_internal_integration(
+            name="Test No Scope Integration",
+            organization=org,
+            user=user,
+            scopes=[],
+        )
+        token_no_scope = self.create_internal_integration_token(
+            user=user, internal_integration=app_no_scope
+        )
+        response = self.client.post(
+            url,
+            data={"version": "1.2.2", "projects": [project.slug]},
+            HTTP_AUTHORIZATION=f"Bearer {token_no_scope.token}",
+        )
+        assert response.status_code == 403
+
+        other_org = self.create_organization()
+        foreign_app = self.create_internal_integration(
+            name="Foreign Org Integration",
+            organization=other_org,
+            user=user,
+            scopes=["org:ci"],
+        )
+        foreign_token = self.create_internal_integration_token(
+            user=user, internal_integration=foreign_app
+        )
+        response = self.client.post(
+            url,
+            data={"version": "1.2.3", "projects": [project.slug]},
+            HTTP_AUTHORIZATION=f"Bearer {foreign_token.token}",
+        )
+        assert response.status_code == 403
+
     @patch("sentry.tasks.commits.fetch_commits")
     def test_api_token(self, mock_fetch_commits: MagicMock) -> None:
         user = self.create_user(is_staff=False, is_superuser=False)

tests/sentry/core/endpoints/test_organization_cell.py

@@ -1,7 +1,6 @@
 from sentry.models.organization import Organization
-from sentry.models.organizationmember import OrganizationMember
 from sentry.testutils.cases import APITestCase
-from sentry.testutils.silo import assume_test_silo_mode_of, control_silo_test, create_test_cells
+from sentry.testutils.silo import control_silo_test, create_test_cells
 from sentry.types.cell import Cell, get_cell_by_name, get_global_directory
 from sentry.utils.security.orgauthtoken_token import generate_token, hash_token
 
@@ -136,10 +135,7 @@ def test_user_auth_token_for_owner(self) -> None:
 
     def test_user_auth_token_for_member(self) -> None:
         org_user = self.create_user()
-        with assume_test_silo_mode_of(OrganizationMember):
-            OrganizationMember.objects.create(
-                user_id=org_user.id, organization_id=self.org.id, role="member"
-            )
+        self.create_member(user=org_user, organization=self.org, role="member")
 
         user_auth_token = self.create_user_auth_token(user=org_user, scope_list=["org:read"])
         response = self.send_get_request_with_auth(self.org.slug, user_auth_token.token)
@@ -149,6 +145,18 @@ def test_user_auth_token_for_member(self) -> None:
         assert us_locality is not None
         assert response.data == {"url": us_locality.to_url(""), "name": us_locality.name}
 
+    def test_user_auth_token_for_member_with_org_ci(self) -> None:
+        org_user = self.create_user()
+        self.create_member(user=org_user, organization=self.org, role="member")
+
+        user_auth_token = self.create_user_auth_token(user=org_user, scope_list=["org:ci"])
+        response = self.send_get_request_with_auth(self.org.slug, user_auth_token.token)
+
+        assert response.status_code == 200
+        us_locality = get_global_directory().get_locality_for_cell("us")
+        assert us_locality is not None
+        assert response.data == {"url": us_locality.to_url(""), "name": us_locality.name}
+
     def test_user_auth_token_for_non_member(self) -> None:
         user_auth_token = self.create_user_auth_token(
             user=self.create_user(), scope_list=["org:read"]

tests/sentry/web/frontend/test_oauth_authorize.py

@@ -229,6 +229,22 @@ def test_approve_flow_non_scope_set(self) -> None:
             "Read, write, and admin access to organization members."
         ]
 
+    def test_org_ci_scope_has_its_own_permission_description(self) -> None:
+        self.login_as(self.user)
+
+        resp = self.client.get(
+            f"{self.path}?response_type=code&client_id={self.application.client_id}&scope=org:read org:ci"
+        )
+
+        assert resp.status_code == 200
+        self.assertTemplateUsed("sentry/oauth-authorize.html")
+        assert resp.context["application"] == self.application
+        assert resp.context["scopes"] == ["org:read", "org:ci"]
+        assert resp.context["permissions"] == [
+            "Read access to organization details.",
+            "Access to CI workflows including source map uploads, release creation, and code mappings.",
+        ]
+
     def test_unauthenticated_basic_auth(self) -> None:
         full_path = f"{self.path}?response_type=code&client_id={self.application.client_id}"