Merge branch 'master' into set-referrer-org-menu

Author: bcoe

migrations_lockfile.txt

@@ -29,7 +29,7 @@ prevent: 0002_alter_integration_id_not_null
 
 releases: 0004_cleanup_failed_safe_deletes
 
-replays: 0006_add_bulk_delete_job
+replays: 0007_organizationmember_replay_access
 
 sentry: 1013_add_repositorysettings_table
 

src/sentry/api/endpoints/organization_trace_item_stats.py

@@ -1,4 +1,6 @@
 import logging
+from collections import defaultdict
+from concurrent.futures import ThreadPoolExecutor, as_completed
 
 from rest_framework import serializers
 from rest_framework.request import Request
@@ -13,7 +15,7 @@
 from sentry.api.bases import NoProjects, OrganizationEventsEndpointBase
 from sentry.api.endpoints.organization_trace_item_attributes import adjust_start_end_window
 from sentry.api.event_search import translate_escape_sequences
-from sentry.api.serializers import serialize
+from sentry.api.serializers.base import serialize
 from sentry.api.utils import handle_query_errors
 from sentry.models.organization import Organization
 from sentry.search.eap.constants import SUPPORTED_STATS_TYPES
@@ -73,6 +75,7 @@ class OrganizationTraceItemsStatsSerializer(serializers.Serializer):
     limit = serializers.IntegerField(
         required=False,
     )
+    spansLimit = serializers.IntegerField(required=False, default=1000, max_value=1000)
 
 
 @region_silo_endpoint
@@ -98,9 +101,6 @@ def get(self, request: Request, organization: Organization) -> Response:
             params=snuba_params, config=resolver_config, definitions=SPAN_DEFINITIONS
         )
 
-        query_string = serialized.get("query")
-        query_filter, _, _ = resolver.resolve_query(query_string)
-
         substring_match = serialized.get("substringMatch", "")
         value_substring_match = translate_escape_sequences(substring_match)
 
@@ -127,12 +127,12 @@ def get_table_results():
                     params=snuba_params,
                     config=SearchResolverConfig(),
                     offset=0,
-                    limit=1000,
+                    limit=serialized.get("spansLimit", 1000),
                     sampling_mode=snuba_params.sampling_mode,
                     query_string=serialized.get("query", ""),
-                    orderby=["span_id"],
+                    orderby=["-timestamp"],
                     referrer=Referrer.API_SPANS_FREQUENCY_STATS_RPC.value,
-                    selected_columns=["span_id"],
+                    selected_columns=["span_id", "timestamp"],
                 )
 
         def run_stats_query_with_span_ids(span_id_filter):
@@ -204,9 +204,29 @@ def data_fn(offset: int, limit: int):
                         AttributeKey(name=requested_key, type=AttributeKey.TYPE_STRING)
                     )
 
-            stats_results = run_stats_query_with_error_handling(request_attrs_list)
+            chunked_attributes: defaultdict[int, list[AttributeKey]] = defaultdict(list)
+            for i, attr in enumerate(request_attrs_list):
+                chunked_attributes[i % MAX_THREADS].append(
+                    AttributeKey(name=attr.name, type=AttributeKey.TYPE_STRING)
+                )
 
-            return {"data": stats_results}, len(request_attrs_list)
+            stats_results: dict[str, dict[str, dict]] = defaultdict(lambda: {"data": {}})
+            with ThreadPoolExecutor(
+                thread_name_prefix=__name__,
+                max_workers=MAX_THREADS,
+            ) as query_thread_pool:
+                futures = [
+                    query_thread_pool.submit(run_stats_query_with_error_handling, attributes)
+                    for attributes in chunked_attributes.values()
+                ]
+
+                for future in as_completed(futures):
+                    result = future.result()
+                    for stats in result:
+                        for stats_type, data in stats.items():
+                            stats_results[stats_type]["data"].update(data["data"])
+
+            return {"data": [{k: v} for k, v in stats_results.items()]}, len(request_attrs_list)
 
         return self.paginate(
             request=request,

src/sentry/api/serializers/models/organization.py

@@ -81,6 +81,7 @@
 from sentry.models.team import Team, TeamStatus
 from sentry.organizations.absolute_url import generate_organization_url
 from sentry.organizations.services.organization import RpcOrganizationSummary
+from sentry.replays.models import OrganizationMemberReplayAccess
 from sentry.users.models.user import User
 from sentry.users.services.user.model import RpcUser
 from sentry.users.services.user.service import user_service
@@ -563,13 +564,51 @@ class DetailedOrganizationSerializerResponse(_DetailedOrganizationSerializerResp
     autoEnableCodeReview: bool
     autoOpenPrs: bool
     defaultCodeReviewTriggers: list[str]
+    hasGranularReplayPermissions: bool
+    replayAccessMembers: list[int]
 
 
 class DetailedOrganizationSerializer(OrganizationSerializer):
     def get_attrs(
         self, item_list: Sequence[Organization], user: User | RpcUser | AnonymousUser, **kwargs: Any
     ) -> MutableMapping[Organization, MutableMapping[str, Any]]:
-        return super().get_attrs(item_list, user)
+        attrs = super().get_attrs(item_list, user)
+
+        replay_permissions = {}
+        has_feature = features.batch_has_for_organizations(
+            "organizations:granular-replay-permissions", item_list
+        )
+        if has_feature and any(has_feature.values()):
+            replay_permissions = {
+                opt.organization_id: opt.value
+                for opt in OrganizationOption.objects.filter(
+                    organization__in=item_list, key="sentry:granular-replay-permissions"
+                )
+            }
+
+            # Only process replay access data if replay_permissions is enabled for at least one org
+            enabled_org_ids = [org_id for org_id, enabled in replay_permissions.items() if enabled]
+            replay_access_by_org: dict[int, list[int]] = {}
+            if enabled_org_ids:
+                for org_id, user_id in OrganizationMemberReplayAccess.objects.filter(
+                    organizationmember__organization__in=enabled_org_ids
+                ).values_list("organizationmember__organization_id", "organizationmember__user_id"):
+                    if user_id is not None:
+                        replay_access_by_org.setdefault(org_id, []).append(user_id)
+
+            for item in item_list:
+                attrs[item]["replay_permissions_enabled"] = replay_permissions.get(item.id, False)
+                attrs[item]["replay_access_members"] = (
+                    replay_access_by_org.get(item.id, [])
+                    if replay_permissions.get(item.id, False)
+                    else []
+                )
+        else:
+            for item in item_list:
+                attrs[item]["replay_permissions_enabled"] = False
+                attrs[item]["replay_access_members"] = []
+
+        return attrs
 
     def serialize(  # type: ignore[override]
         self,
@@ -745,8 +784,14 @@ def serialize(  # type: ignore[override]
                 team__organization=obj
             ).count(),
             "isDynamicallySampled": is_dynamically_sampled,
+            "hasGranularReplayPermissions": False,
+            "replayAccessMembers": [],
         }
 
+        if features.has("organizations:granular-replay-permissions", obj):
+            context["hasGranularReplayPermissions"] = bool(attrs.get("replay_permissions_enabled"))
+            context["replayAccessMembers"] = attrs.get("replay_access_members", [])
+
         if has_custom_dynamic_sampling(obj, actor=user):
             context["targetSampleRate"] = float(
                 obj.get_option("sentry:target_sample_rate", TARGET_SAMPLE_RATE_DEFAULT)
@@ -796,6 +841,8 @@ def serialize(  # type: ignore[override]
         "streamlineOnly",
         "ingestThroughTrustedRelaysOnly",
         "enabledConsolePlatforms",
+        "hasGranularReplayPermissions",
+        "replayAccessMembers",
     ]
 )
 class DetailedOrganizationSerializerWithProjectsAndTeamsResponse(

src/sentry/api/urls.py

@@ -535,6 +535,9 @@
 from sentry.seer.endpoints.organization_seer_rpc import OrganizationSeerRpcEndpoint
 from sentry.seer.endpoints.organization_seer_setup_check import OrganizationSeerSetupCheck
 from sentry.seer.endpoints.organization_trace_summary import OrganizationTraceSummaryEndpoint
+from sentry.seer.endpoints.project_autofix_automation_settings import (
+    ProjectAutofixAutomationSettingsEndpoint,
+)
 from sentry.seer.endpoints.project_seer_preferences import ProjectSeerPreferencesEndpoint
 from sentry.seer.endpoints.seer_rpc import SeerRpcServiceEndpoint
 from sentry.seer.endpoints.trace_explorer_ai_query import TraceExplorerAIQuery
@@ -2675,6 +2678,11 @@ def create_group_urls(name_prefix: str) -> list[URLPattern | URLResolver]:
         ProjectAlertRuleIndexEndpoint.as_view(),
         name="sentry-api-0-project-alert-rules",
     ),
+    re_path(
+        r"^(?P<organization_id_or_slug>[^/]+)/(?P<project_id_or_slug>[^/]+)/autofix/automation-settings/$",
+        ProjectAutofixAutomationSettingsEndpoint.as_view(),
+        name="sentry-api-0-project-autofix-automation-settings",
+    ),
     re_path(
         r"^(?P<organization_id_or_slug>[^/]+)/(?P<project_id_or_slug>[^/]+)/alert-rule-task/(?P<task_uuid>[^/]+)/$",
         ProjectAlertRuleTaskDetailsEndpoint.as_view(),

src/sentry/backup/comparators.py

@@ -982,6 +982,9 @@ def get_default_comparators() -> dict[str, list[JSONScrubbingComparator]]:
                 DateUpdatedComparator("date_updated", "date_added")
             ],
             "monitors.monitor": [UUID4Comparator("guid")],
+            "replays.organizationmemberreplayaccess": [
+                DateUpdatedComparator("date_updated", "date_added")
+            ],
         },
     )
 

src/sentry/core/endpoints/organization_details.py

@@ -11,6 +11,7 @@
 from django.utils import timezone as django_timezone
 from drf_spectacular.utils import OpenApiResponse, extend_schema, extend_schema_serializer
 from rest_framework import serializers, status
+from rest_framework.exceptions import NotFound, PermissionDenied
 from sentry_sdk import capture_exception
 
 from bitfield.types import BitHandler
@@ -94,6 +95,7 @@
 from sentry.models.options.organization_option import OrganizationOption
 from sentry.models.options.project_option import ProjectOption
 from sentry.models.organization import Organization, OrganizationStatus
+from sentry.models.organizationmember import OrganizationMember
 from sentry.models.project import Project
 from sentry.organizations.services.organization import organization_service
 from sentry.organizations.services.organization.model import (
@@ -102,6 +104,7 @@
     RpcOrganizationDeleteState,
 )
 from sentry.relay.datascrubbing import validate_pii_config_update, validate_pii_selectors
+from sentry.replays.models import OrganizationMemberReplayAccess
 from sentry.seer.autofix.constants import AutofixAutomationTuningSettings
 from sentry.services.organization.provisioning import (
     OrganizationSlugCollisionException,
@@ -369,6 +372,13 @@ class OrganizationSerializer(BaseOrganizationSerializer):
     ingestThroughTrustedRelaysOnly = serializers.ChoiceField(
         choices=[("enabled", "enabled"), ("disabled", "disabled")], required=False
     )
+    hasGranularReplayPermissions = serializers.BooleanField(required=False)
+    replayAccessMembers = serializers.ListField(
+        child=serializers.IntegerField(),
+        required=False,
+        allow_null=True,
+        help_text="List of user IDs that have access to replay data. Only modifiable by owners and managers.",
+    )
 
     def _has_sso_enabled(self):
         org = self.context["organization"]
@@ -475,6 +485,26 @@ def validate_samplingMode(self, value):
 
         return value
 
+    def validate_hasGranularReplayPermissions(self, value):
+        self._validate_granular_replay_permissions()
+        return value
+
+    def validate_replayAccessMembers(self, value):
+        self._validate_granular_replay_permissions()
+        return value
+
+    def _validate_granular_replay_permissions(self):
+        organization = self.context["organization"]
+        request = self.context["request"]
+
+        if not features.has("organizations:granular-replay-permissions", organization):
+            raise NotFound("This feature is not enabled for your organization.")
+
+        if not request.access.has_scope("org:admin"):
+            raise PermissionDenied(
+                "You do not have permission to modify granular replay permissions."
+            )
+
     def validate(self, attrs):
         attrs = super().validate(attrs)
         if attrs.get("avatarType") == "upload":
@@ -589,6 +619,74 @@ def save(self, **kwargs):
         if trusted_relay_info is not None:
             self.save_trusted_relays(trusted_relay_info, changed_data, org)
 
+        if "hasGranularReplayPermissions" in data:
+            option_key = "sentry:granular-replay-permissions"
+            new_value = data["hasGranularReplayPermissions"]
+            option_inst, created = OrganizationOption.objects.get_or_create(
+                organization=org, key=option_key, defaults={"value": new_value}
+            )
+            if not created and option_inst.value != new_value:
+                old_val = option_inst.value
+                option_inst.value = new_value
+                option_inst.save()
+                changed_data["hasGranularReplayPermissions"] = f"from {old_val} to {new_value}"
+            elif created:
+                changed_data["hasGranularReplayPermissions"] = f"to {new_value}"
+
+        if "replayAccessMembers" in data:
+            user_ids = data["replayAccessMembers"]
+            if user_ids is None:
+                user_ids = []
+
+            current_user_ids = set(
+                OrganizationMemberReplayAccess.objects.filter(
+                    organizationmember__organization=org
+                ).values_list("organizationmember__user_id", flat=True)
+            )
+            new_user_ids = set(user_ids)
+
+            to_add = new_user_ids - current_user_ids
+            to_remove = current_user_ids - new_user_ids
+
+            if to_add:
+                user_to_member = dict(
+                    OrganizationMember.objects.filter(
+                        organization=org, user_id__in=to_add
+                    ).values_list("user_id", "id")
+                )
+                invalid_user_ids = to_add - set(user_to_member.keys())
+                if invalid_user_ids:
+                    raise serializers.ValidationError(
+                        {
+                            "replayAccessMembers": f"Invalid user IDs (not members of this organization): {sorted(invalid_user_ids)}"
+                        }
+                    )
+
+                OrganizationMemberReplayAccess.objects.bulk_create(
+                    [
+                        OrganizationMemberReplayAccess(
+                            organizationmember_id=user_to_member[user_id]
+                        )
+                        for user_id in to_add
+                    ],
+                    ignore_conflicts=True,
+                )
+
+            if to_remove:
+                OrganizationMemberReplayAccess.objects.filter(
+                    organizationmember__organization=org, organizationmember__user_id__in=to_remove
+                ).delete()
+
+            if to_add or to_remove:
+                changes = []
+                if to_add:
+                    changes.append(f"added {len(to_add)} user(s)")
+                if to_remove:
+                    changes.append(f"removed {len(to_remove)} user(s)")
+                changed_data["replayAccessMembers"] = (
+                    f"{' and '.join(changes)} (total: {len(new_user_ids)} user(s) with access)"
+                )
+
         if "openMembership" in data:
             org.flags.allow_joinleave = data["openMembership"]
         if "allowSharedIssues" in data:
@@ -809,6 +907,16 @@ class OrganizationDetailsPutSerializer(serializers.Serializer):
         help_text="The role required to download debug information files, ProGuard mappings and source maps.",
         required=False,
     )
+    hasGranularReplayPermissions = serializers.BooleanField(
+        help_text="Specify `true` to enable granular replay permissions, allowing per-member access control for replay data.",
+        required=False,
+    )
+    replayAccessMembers = serializers.ListField(
+        child=serializers.IntegerField(),
+        help_text="A list of user IDs who have permission to access replay data. Requires the hasGranularReplayPermissions flag to be true to be enforced.",
+        required=False,
+        allow_null=True,
+    )
 
     # avatar
     avatarType = serializers.ChoiceField(