oauth: Add logging on failures

Author: dcramer

src/sentry/web/frontend/oauth_authorize.py

@@ -1,5 +1,6 @@
 from __future__ import absolute_import, print_function
 
+import logging
 import six
 
 from django.conf import settings
@@ -13,6 +14,8 @@
 )
 from sentry.web.frontend.auth_login import AuthLoginView
 
+logger = logging.getLogger('sentry.api')
+
 
 class OAuthAuthorizeView(AuthLoginView):
     auth_required = False
@@ -37,7 +40,13 @@ def redirect_response(self, response_type, redirect_uri, params):
         parts[4] = urlencode(query)
         return self.redirect(urlunparse(parts))
 
-    def error(self, response_type, redirect_uri, name, state=None):
+    def error(self, request, response_type, redirect_uri, name, state=None, client_id=None):
+        logging.error('oauth.authorize-error', extra={
+            'error_name': name,
+            'response_type': response_type,
+            'client_id': client_id,
+            'redirect_uri': redirect_uri,
+        })
         return self.redirect_response(
             response_type, redirect_uri, {
                 'error': name,
@@ -58,6 +67,12 @@ def get(self, request):
         force_prompt = request.GET.get('force_prompt')
 
         if not client_id:
+            logging.error('oauth.authorize-error', extra={
+                'error_name': 'unauthorized_client',
+                'response_type': response_type,
+                'client_id': client_id,
+                'redirect_uri': redirect_uri,
+            })
             return self.respond(
                 'sentry/oauth-error.html', {
                     'error': mark_safe('Missing or invalid <em>client_id</em> parameter.'),
@@ -70,6 +85,12 @@ def get(self, request):
                 status=ApiApplicationStatus.active,
             )
         except ApiApplication.DoesNotExist:
+            logging.error('oauth.authorize-error', extra={
+                'error_name': 'unauthorized_client',
+                'response_type': response_type,
+                'client_id': client_id,
+                'redirect_uri': redirect_uri,
+            })
             return self.respond(
                 'sentry/oauth-error.html', {
                     'error': mark_safe('Missing or invalid <em>client_id</em> parameter.'),
@@ -79,6 +100,12 @@ def get(self, request):
         if not redirect_uri:
             redirect_uri = application.get_default_redirect_uri()
         elif not application.is_valid_redirect_uri(redirect_uri):
+            logging.error('oauth.authorize-error', extra={
+                'error_name': 'invalid_request',
+                'response_type': response_type,
+                'client_id': client_id,
+                'redirect_uri': redirect_uri,
+            })
             return self.respond(
                 'sentry/oauth-error.html', {
                     'error': mark_safe('Missing or invalid <em>redirect_uri</em> parameter.'),
@@ -87,6 +114,8 @@ def get(self, request):
 
         if not application.is_allowed_response_type(response_type):
             return self.error(
+                request=request,
+                client_id=client_id,
                 response_type=response_type,
                 redirect_uri=redirect_uri,
                 name='unsupported_response_type',
@@ -98,6 +127,8 @@ def get(self, request):
             for scope in scopes:
                 if scope not in settings.SENTRY_SCOPES:
                     return self.error(
+                        request=request,
+                        client_id=client_id,
                         response_type=response_type,
                         redirect_uri=redirect_uri,
                         name='invalid_scope',
@@ -232,6 +263,8 @@ def post(self, request):
 
         elif op == 'deny':
             return self.error(
+                request=request,
+                client_id=payload['cid'],
                 response_type=response_type,
                 redirect_uri=redirect_uri,
                 name='access_denied',

src/sentry/web/frontend/oauth_token.py

@@ -1,5 +1,6 @@
 from __future__ import absolute_import, print_function
 
+import logging
 import six
 
 from django.http import HttpResponse
@@ -12,14 +13,25 @@
 from sentry.models import (ApiApplication, ApiApplicationStatus, ApiGrant, ApiToken)
 from sentry.utils import json
 
+logger = logging.getLogger('sentry.api')
+
 
 class OAuthTokenView(View):
     @csrf_exempt
     @never_cache
     def dispatch(self, request, *args, **kwargs):
         return super(OAuthTokenView, self).dispatch(request, *args, **kwargs)
 
-    def error(self, name, status=400):
+    def error(self, request, name, status=400):
+        client_id = request.POST.get('client_id')
+        redirect_uri = request.POST.get('redirect_uri')
+
+        logging.error('oauth.token-error', extra={
+            'error_name': name,
+            'status': status,
+            'client_id': client_id,
+            'redirect_uri': redirect_uri,
+        })
         return HttpResponse(
             json.dumps({
                 'error': name,
@@ -37,34 +49,34 @@ def post(self, request):
             code = request.POST.get('code')
 
             if not client_id:
-                return self.error('invalid_client')
+                return self.error(request, 'invalid_client')
 
             if not client_secret:
-                return self.error('invalid_client')
+                return self.error(request, 'invalid_client')
 
             try:
                 application = ApiApplication.objects.get(
                     client_id=client_id,
                     status=ApiApplicationStatus.active,
                 )
             except ApiApplication.DoesNotExist:
-                return self.error('invalid_client')
+                return self.error(request, 'invalid_client')
 
             if not constant_time_compare(client_secret, application.client_secret):
-                return self.error('invalid_client')
+                return self.error(request, 'invalid_client')
 
             try:
                 grant = ApiGrant.objects.get(application=application, code=code)
             except ApiGrant.DoesNotExist:
-                return self.error('invalid_grant')
+                return self.error(request, 'invalid_grant')
 
             if grant.is_expired():
-                return self.error('invalid_grant')
+                return self.error(request, 'invalid_grant')
 
             if not redirect_uri:
                 redirect_uri = application.get_default_redirect_uri()
             elif grant.redirect_uri != redirect_uri:
-                return self.error('invalid_grant')
+                return self.error(request, 'invalid_grant')
 
             token = ApiToken.from_grant(grant)
         elif grant_type == 'refresh_token':
@@ -74,40 +86,40 @@ def post(self, request):
             client_secret = request.POST.get('client_secret')
 
             if not refresh_token:
-                return self.error('invalid_request')
+                return self.error(request, 'invalid_request')
 
             # TODO(dcramer): support scope
             if scope:
-                return self.error('invalid_request')
+                return self.error(request, 'invalid_request')
 
             if not client_id:
-                return self.error('invalid_client')
+                return self.error(request, 'invalid_client')
 
             if not client_secret:
-                return self.error('invalid_client')
+                return self.error(request, 'invalid_client')
 
             try:
                 application = ApiApplication.objects.get(
                     client_id=client_id,
                     status=ApiApplicationStatus.active,
                 )
             except ApiApplication.DoesNotExist:
-                return self.error('invalid_client')
+                return self.error(request, 'invalid_client')
 
             if not constant_time_compare(client_secret, application.client_secret):
-                return self.error('invalid_client')
+                return self.error(request, 'invalid_client')
 
             try:
                 token = ApiToken.objects.get(
                     application=application,
                     refresh_token=refresh_token,
                 )
             except ApiToken.DoesNotExist:
-                return self.error('invalid_grant')
+                return self.error(request, 'invalid_grant')
 
             token.refresh()
         else:
-            return self.error('unsupported_grant_type')
+            return self.error(request, 'unsupported_grant_type')
 
         return HttpResponse(
             json.dumps(