Add download to release files

[HazAT]

[getsentry-bot]

	1 Warning
⚠️	Changes require @getsentry/security sign-off

Security concerns found

• src/sentry/api/endpoints/release_file_details.py
• src/sentry/static/sentry/app/views/releaseArtifacts.jsx

Generated by 🚫 danger

[mitsuhiko]

Looks good to me. Might need a CHANGES entry

[mattrobenolt]

No no, we explicitly cannot do this for security reasons. There are specific reasons why uploads are a one-way.

[mattrobenolt]

We need to surface this ability possibly only for superusers only or in our admin.

[mitsuhiko]

Can we put this behind a org admin permission / superuser flag or something like thatat least? It's super useful for support on react native

…

On Wed, Dec 21, 2016 at 16:46 Matt Robenolt ***@***.***> wrote: No no, we explicitly cannot do this for security reasons. There are specific reasons why uploads are a one-way. — You are receiving this because you are on a team that was mentioned. Reply to this email directly, view it on GitHub <#4704 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAc5EvrLgTy1cf0RICh9ethXInJot7Kks5rKUnrgaJpZM4LTDdy> .

[mattrobenolt]

Unsure what we wanted to do, but @dcramer and @benvinegar should weigh their thoughts.

I personally think behind superuser check is fine.

[dcramer]

What's the security concern?

[mattrobenolt]

What's the security concern?

We never wanted having access to downloading release artifacts through the UI since this would expose source code to people on the org who maybe didn't have access before.

[dcramer]

@mattrobenolt then we scope it to the same perms. They already have indirect access via source expansion.

[mitsuhiko]

@dcramer by same perms you mean project:releases?

[dcramer]

Yeah I think so -- will defer to others here, but its my feeling that these aren't highly sensitive, and should be accessible by the same users who have permission to create/delete them.

[mitsuhiko]

I would just say we add an explicit check for projects:releases or projects:write and if one of them passes we permit the download.

[mattrobenolt]

We should do the same thing that Django does here for static file delivery, since it's the same idea: https://github.com/django/django/blob/1.6.11/django/views/static.py#L67-L68

The reason for this is if it's this CompatibleStreamingHttpResponse, we can actually stream the bytes back to the browser instead of blocking process while it downloads in memory. This streaming behavior is then also handled directly by uWSGI and deferred away from Django.

This happens here: https://github.com/getsentry/sentry/blob/master/src/sentry/wsgi.py#L44

[mattrobenolt]

We should also extract the mimetype from file.headers.get('content-type', 'application/octet-stream') since we typically have this information.

[mattrobenolt]

To be more explicit, this last line could be:

file = releasefile.file
fp = file.getfile()
CompatibleStreamingHttpResponse(
    iter(lambda: fp.read(4096), b''),
    content_type=file.headers.get('content-type', 'application/octet-stream'),
)

[mitsuhiko]

Oh I see. I thought HttpResponse already can handle this on its own but this just works by chance. Clever :P

[mattrobenolt]

We should stick with just project:write.

Checking for project:releases is kinda moot at this point anyways since literally any member has project:releases permission. But as of now, project:releases doesn't have any concept of read vs write, so this is effectively opening it up to everybody.

We should limit to project:write and document this behavior. We can always loosen constraint here if we have the need in the future. I'm hesitant on exposing this feature to people who potentially didn't have access to source code before, so I feel project:write is sufficient to start.

[mattrobenolt]

Same here for project:write.

According to @dcramer, which I agree with, we should leave the button here even if they don't have permission, but disable it with a tooltip saying that they don't have permission. That way we're not hiding things in the UI and they can see easily that they don't have permission to perform an action.

[mitsuhiko]

Just needs changes and a sign-off from @mattrobenolt i think.

[mattrobenolt]

You need to revert changes to the locale files.

[mattrobenolt]

We should also probably return a 403 here when requesting a download but don't have have permission.

[HazAT]

@mattrobenolt is there anything left to do?

[mattrobenolt]

We need some tests for this. They can be pretty trivial.

[HazAT]

Also wanted to write a api integration test but this
https://github.com/getsentry/sentry/pull/4704/files#diff-17bacf0f00a6813b38ad91e1b0efa99eR76
raises a raise ValueError('Cannot seek to pos')
Don't know how to have a seekable file for testing...

[mitsuhiko]

cStringIO.StringIO can seek over binary data. Not sure if that helps.

[mattrobenolt]

Can you commit the test code that fails? Hard to debug without seeing what you're doing. :)

[mitsuhiko]

I think you need to create the file before the release file and then use putfile on it:

from io import BytesIO
f = File.objects.create(...)
f.putfile(BytesIO(b'File contents here'))
ReleaseFIle.objects.create(..., file=f)

[mattrobenolt]

Yeah, that's it. :)

[HazAT]

Thx guys :)

[mitsuhiko]

Now only needs a CHANGES entry and this is ready to go.

[mattrobenolt]

It'd be worth adding an assertion for the contents of the payload here to match the BytesIO contents to confirm that we've actually downloaded the correct file.

As well as the correct headers. Content-Length, Content-Type, and Content-Disposition. Mostly because in this case, these things are actually significant and we wouldn't want to break them.

Other than this, lgtm.

[HazAT]

Squash Merge?

[mitsuhiko]

+1