feat(demo-mode): read-only user

[obostjancic]

• Ensures this user can't create/edit organization resources by narrowing down the set of scopes given to the user
• Ensures this user can't create/edit user resources (API Apps, Auth tokens etc.) by setting the SentryPermission class on User API endpoints
• Closes: Create a read only member #79006

Context

• In order to replace Current sandbox, which is a self-hosted instance available at https://try.sentry-demo.com/ we created a SaaS sandbox org https://sandbox.sentry.io/
• Event data in sandbox org will be synced with demo org through sentry-mirror
• In order to allow public access to this org we created a Demo User
  • that should have read-only access to only this org. PoC PR
  • that should be able to log in automatically. WIP PR
• sandbox org and Demo User are behind demo-mode.orgs and demo-mode.users options respectively. Those options are added in PR

[codecov]

Codecov Report

Attention: Patch coverage is 98.16514% with 2 lines in your changes missing coverage. Please review.

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/sentry/api/permissions.py	81.81%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #79665      +/-   ##
==========================================
+ Coverage   84.95%   87.76%   +2.81%     
==========================================
  Files        9487     9341     -146     
  Lines      539524   532799    -6725     
  Branches    21177    20267     -910     
==========================================
+ Hits       458344   467636    +9292     
+ Misses      80739    64781   -15958     
+ Partials      441      382      -59     

[getsantry]

This pull request has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you add the label WIP, I will leave it alone unless WIP is removed ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

[leedongwei]

If we're confident that we don't have a GET/HEAD method that modifies data, then the approach seems reasonable to me.

[evanpurkhiser]

Are we planning to clean up all the old sandbox code in sentry?

[wedamija]

Is this just a fixed set of demo users that can log in? Can new users sign up for accounts?

[wedamija]

We don't usually use SentryPermission directly, it's usually a base class we inherit from and apply scopes to.

It seems like if you use this directly, then no users will have permissions on this api:

sentry/src/sentry/api/permissions.py

Lines 167 to 169 in 219f2e6

	allowed_scopes: set[str] = set(self.scope_map.get(request.method, []))
	current_scopes = request.auth.get_scopes()
	return any(s in allowed_scopes for s in current_scopes)

Since this just defined empty scopes, this any can't return True. Not sure if there's some other piece I'm missing that circumvents this.