From 032ced6fd0c85e051f0f50cb843e10ec356e5cf9 Mon Sep 17 00:00:00 2001
From: Michael Derynck <michael.derynck@grafana.com>
Date: Tue, 23 Jan 2024 15:59:33 -0700
Subject: [PATCH 01/22] Add more logging to plugin sync and install (#3730)

# What this PR does
Add logging to process for syncing OnCall backend with Grafana to help
troubleshoot issues in self-hosted setups.


## Which issue(s) this PR fixes

## Checklist

- [ ] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)
---
 CHANGELOG.md                                |  4 ++++
 engine/apps/auth_token/auth.py              |  3 +++
 engine/apps/grafana_plugin/views/install.py |  9 +++++++++
 engine/apps/grafana_plugin/views/status.py  | 17 ++++++++++++++++-
 engine/apps/user_management/sync.py         |  2 ++
 5 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6e90d15f..51f7a19c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+### Added
+
+- Improved logging during plugin sync and install with Grafana @mderynck ([#3730](https://github.com/grafana/oncall/pull/3730))
+
 ## v1.3.92 (2024-01-23)
 
 Maintenance release
diff --git a/engine/apps/auth_token/auth.py b/engine/apps/auth_token/auth.py
index 89a12560..d40807c8 100644
--- a/engine/apps/auth_token/auth.py
+++ b/engine/apps/auth_token/auth.py
@@ -104,9 +104,11 @@ class BasePluginAuthentication(BaseAuthentication):
         try:
             context = dict(json.loads(request.headers.get("X-Grafana-Context")))
         except (ValueError, TypeError):
+            logger.info("auth request user not found - missing valid X-Grafana-Context")
             return None
 
         if "UserId" not in context and "UserID" not in context:
+            logger.info("auth request user not found - X-Grafana-Context missing UserID")
             return None
 
         try:
@@ -117,6 +119,7 @@ class BasePluginAuthentication(BaseAuthentication):
         try:
             return organization.users.get(user_id=user_id)
         except User.DoesNotExist:
+            logger.info(f"auth request user not found - user_id={user_id}")
             return None
 
 
diff --git a/engine/apps/grafana_plugin/views/install.py b/engine/apps/grafana_plugin/views/install.py
index 44fefaec..234a8758 100644
--- a/engine/apps/grafana_plugin/views/install.py
+++ b/engine/apps/grafana_plugin/views/install.py
@@ -1,3 +1,5 @@
+import logging
+
 from rest_framework import status
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -8,6 +10,8 @@ from apps.user_management.models import Organization
 from apps.user_management.sync import sync_organization
 from common.api_helpers.mixins import GrafanaHeadersMixin
 
+logger = logging.getLogger(__name__)
+
 
 class InstallView(GrafanaHeadersMixin, APIView):
     authentication_classes = (BasePluginAuthentication,)
@@ -21,6 +25,11 @@ class InstallView(GrafanaHeadersMixin, APIView):
         organization.deleted_at = None
         organization.api_token = self.instance_context["grafana_token"]
         organization.save(update_fields=["api_token", "deleted_at"])
+        logger.info(f"install - grafana_token replaced org={organization.pk}")
 
         sync_organization(organization)
+        logger.info(
+            f"install - sync organization finished org={organization.pk} "
+            f"token_status={organization.api_token_status}"
+        )
         return Response(status=status.HTTP_204_NO_CONTENT)
diff --git a/engine/apps/grafana_plugin/views/status.py b/engine/apps/grafana_plugin/views/status.py
index 340c1774..8e1065cd 100644
--- a/engine/apps/grafana_plugin/views/status.py
+++ b/engine/apps/grafana_plugin/views/status.py
@@ -1,3 +1,5 @@
+import logging
+
 from django.conf import settings
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -11,6 +13,8 @@ from apps.user_management.models import Organization
 from common.api_helpers.mixins import GrafanaHeadersMixin
 from common.api_helpers.utils import create_engine_url
 
+logger = logging.getLogger(__name__)
+
 
 class StatusView(GrafanaHeadersMixin, APIView):
     authentication_classes = (
@@ -19,8 +23,13 @@ class StatusView(GrafanaHeadersMixin, APIView):
     )
 
     def post(self, request: Request) -> Response:
+        logger.info(
+            f"authenticated via {type(request.successful_authenticator)}, user=[{request.user}] "
+            f"org=[{request.auth.organization.stack_slug if request.auth.organization else None}]"
+        )
+
         """
-        Called asyncronounsly on each start of the plugin
+        Called asynchronously on each start of the plugin
         Checks if plugin is correctly installed and async runs a task
         to sync users, teams and org
         """
@@ -42,7 +51,12 @@ class StatusView(GrafanaHeadersMixin, APIView):
         if organization:
             is_installed = True
             token_ok = organization.api_token_status == Organization.API_TOKEN_STATUS_OK
+            logger.info(
+                f"Status - check token org={organization.pk} status={organization.api_token_status} "
+                f"token_ok={token_ok}"
+            )
             if organization.is_moved:
+                logger.info(f"Organization Moved! org={organization.pk}")
                 api_url = create_engine_url("", override_base=organization.migration_destination.oncall_backend_url)
         else:
             allow_signup = DynamicSetting.objects.get_or_create(
@@ -51,6 +65,7 @@ class StatusView(GrafanaHeadersMixin, APIView):
 
         # If user is not present in OnCall database, set token_ok to False, which will trigger reinstall
         if not request.user:
+            logger.info(f"Status - user not found org={organization.pk} " f"setting token_status to PENDING")
             token_ok = False
             organization.api_token_status = Organization.API_TOKEN_STATUS_PENDING
             organization.save(update_fields=["api_token_status"])
diff --git a/engine/apps/user_management/sync.py b/engine/apps/user_management/sync.py
index d3bd1d28..a06a7fc5 100644
--- a/engine/apps/user_management/sync.py
+++ b/engine/apps/user_management/sync.py
@@ -42,6 +42,7 @@ def _sync_organization(organization: Organization) -> None:
         rbac_is_enabled = grafana_api_client.is_rbac_enabled_for_organization()
 
     organization.is_rbac_permissions_enabled = rbac_is_enabled
+    logger.info(f"RBAC status org={organization.pk} rbac_enabled={organization.is_rbac_permissions_enabled}")
 
     _sync_instance_info(organization)
 
@@ -59,6 +60,7 @@ def _sync_organization(organization: Organization) -> None:
             )
     else:
         organization.api_token_status = Organization.API_TOKEN_STATUS_FAILED
+        logger.warning(f"Sync not successful org={organization.pk} token_status=FAILED")
 
     organization.save(
         update_fields=[

From a6b1ccd416d8697391a93d6bb2f47403076f80aa Mon Sep 17 00:00:00 2001
From: Innokentii Konstantinov <innokenty.konstantinov@grafana.com>
Date: Wed, 24 Jan 2024 16:32:58 +0800
Subject: [PATCH 02/22] Remove unused const

---
 engine/common/api_helpers/mixins.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/engine/common/api_helpers/mixins.py b/engine/common/api_helpers/mixins.py
index 9b06f537..4aacd63b 100644
--- a/engine/common/api_helpers/mixins.py
+++ b/engine/common/api_helpers/mixins.py
@@ -249,7 +249,6 @@ ACKNOWLEDGE_CONDITION = "acknowledge_condition"
 GROUPING_ID = "grouping_id"
 SOURCE_LINK = "source_link"
 ROUTE = "route"
-ALERT_GROUP_LABELS = "alert_group_labels"
 ALERT_GROUP_MULTI_LABEL = "alert_group_multi_label"
 ALERT_GROUP_DYNAMIC_LABEL = "alert_group_dynamic_label"
 

From 19cae8086e472779faff8878a64b0df7bb8b0a08 Mon Sep 17 00:00:00 2001
From: Yulya Artyukhina <Ferril.darkdiver@gmail.com>
Date: Wed, 24 Jan 2024 16:31:56 +0100
Subject: [PATCH 03/22] Retry `perform_notification` with Telegram ratelimit
 countdown on `RetryAfter` error (#3744)

# What this PR does
Use Telegram ratelimit countdown when retry `perform_notification` task
on `RetryAfter` error
## Which issue(s) this PR fixes
https://github.com/grafana/oncall-private/issues/2451

## Checklist

- [x] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)
---
 CHANGELOG.md                                 |  4 +++
 engine/apps/alerts/tasks/notify_user.py      | 13 ++++++--
 engine/apps/alerts/tests/test_notify_user.py | 34 ++++++++++++++++++++
 3 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 51f7a19c..ca254640 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Improved logging during plugin sync and install with Grafana @mderynck ([#3730](https://github.com/grafana/oncall/pull/3730))
 
+### Fixed
+
+- Fixed too frequent retry of `perform_notification` task on Telegram ratelimit error by @Ferril ([#3744](https://github.com/grafana/oncall/pull/3744))
+
 ## v1.3.92 (2024-01-23)
 
 Maintenance release
diff --git a/engine/apps/alerts/tasks/notify_user.py b/engine/apps/alerts/tasks/notify_user.py
index 277cf4b8..972f2033 100644
--- a/engine/apps/alerts/tasks/notify_user.py
+++ b/engine/apps/alerts/tasks/notify_user.py
@@ -1,10 +1,12 @@
 import time
 from functools import partial
 
+from celery.exceptions import Retry
 from django.conf import settings
 from django.db import transaction
 from django.utils import timezone
 from kombu.utils.uuid import uuid as celery_uuid
+from telegram.error import RetryAfter
 
 from apps.alerts.constants import NEXT_ESCALATION_DELAY
 from apps.alerts.signals import user_notification_action_triggered_signal
@@ -234,7 +236,10 @@ def notify_user_task(
 
 
 @shared_dedicated_queue_retry_task(
-    autoretry_for=(Exception,), retry_backoff=True, max_retries=1 if settings.DEBUG else None
+    autoretry_for=(Exception,),
+    retry_backoff=True,
+    dont_autoretry_for=(Retry,),
+    max_retries=1 if settings.DEBUG else None,
 )
 def perform_notification(log_record_pk):
     from apps.base.models import UserNotificationPolicy, UserNotificationPolicyLogRecord
@@ -289,7 +294,11 @@ def perform_notification(log_record_pk):
         phone_backend.notify_by_call(user, alert_group, notification_policy)
 
     elif notification_channel == UserNotificationPolicy.NotificationChannel.TELEGRAM:
-        TelegramToUserConnector.notify_user(user, alert_group, notification_policy)
+        try:
+            TelegramToUserConnector.notify_user(user, alert_group, notification_policy)
+        except RetryAfter as e:
+            countdown = getattr(e, "retry_after", 3)
+            raise perform_notification.retry((log_record_pk,), countdown=countdown, exc=e)
 
     elif notification_channel == UserNotificationPolicy.NotificationChannel.SLACK:
         # TODO: refactor checking the possibility of sending a notification in slack
diff --git a/engine/apps/alerts/tests/test_notify_user.py b/engine/apps/alerts/tests/test_notify_user.py
index e06585b1..e0c32d2c 100644
--- a/engine/apps/alerts/tests/test_notify_user.py
+++ b/engine/apps/alerts/tests/test_notify_user.py
@@ -1,6 +1,7 @@
 from unittest.mock import patch
 
 import pytest
+from telegram.error import RetryAfter
 
 from apps.alerts.models import AlertGroup
 from apps.alerts.tasks.notify_user import notify_user_task, perform_notification
@@ -8,6 +9,7 @@ from apps.api.permissions import LegacyAccessControlRole
 from apps.base.models.user_notification_policy import UserNotificationPolicy
 from apps.base.models.user_notification_policy_log_record import UserNotificationPolicyLogRecord
 from apps.slack.models import SlackMessage
+from apps.telegram.models import TelegramToUserConnector
 
 NOTIFICATION_UNAUTHORIZED_MSG = "notification is not allowed for user"
 
@@ -297,3 +299,35 @@ def test_perform_notification_missing_user_notification_policy_log_record(caplog
         "The alert group associated with this log record may have been deleted."
     ) in caplog.text
     assert f"perform_notification: found record for {invalid_pk}" not in caplog.text
+
+
+@pytest.mark.django_db
+def test_perform_notification_telegram_retryafter_error(
+    make_organization_and_user,
+    make_user_notification_policy,
+    make_alert_receive_channel,
+    make_alert_group,
+    make_user_notification_policy_log_record,
+):
+    organization, user = make_organization_and_user()
+    user_notification_policy = make_user_notification_policy(
+        user=user,
+        step=UserNotificationPolicy.Step.NOTIFY,
+        notify_by=UserNotificationPolicy.NotificationChannel.TELEGRAM,
+    )
+    alert_receive_channel = make_alert_receive_channel(organization=organization)
+    alert_group = make_alert_group(alert_receive_channel=alert_receive_channel)
+    log_record = make_user_notification_policy_log_record(
+        author=user,
+        alert_group=alert_group,
+        notification_policy=user_notification_policy,
+        type=UserNotificationPolicyLogRecord.TYPE_PERSONAL_NOTIFICATION_TRIGGERED,
+    )
+    countdown = 15
+    exc = RetryAfter(countdown)
+    with patch.object(TelegramToUserConnector, "notify_user", side_effect=exc) as mock_notify_user:
+        with pytest.raises(RetryAfter):
+            perform_notification(log_record.pk)
+
+    mock_notify_user.assert_called_once_with(user, alert_group, user_notification_policy)
+    assert alert_group.personal_log_records.last() == log_record

From 21f0e2db8960c4920c27f90dd3c05ba5dde7ef00 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 25 Jan 2024 08:28:51 +0000
Subject: [PATCH 04/22] Update `make docs` procedure (#3749)

Co-authored-by: grafanabot <bot@grafana.com>
Co-authored-by: Jack Baldry <jack.baldry@grafana.com>
---
 docs/make-docs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/make-docs b/docs/make-docs
index d4a8fd53..d5d861ca 100755
--- a/docs/make-docs
+++ b/docs/make-docs
@@ -717,7 +717,7 @@ case "${image}" in
                 "${DOCS_IMAGE}" \
                 "--minAlertLevel=${VALE_MINALERTLEVEL}" \
                 '--glob=*.md' \
-                --output=line \
+                --output=/etc/vale/rdjsonl.tmpl \
                 /hugo/content/docs | sed "s#$(proj_dst "${proj}")#sources#"
     ;;
   *)

From e18dafa650a79e407a4a169a661fa6ab53e7ffb9 Mon Sep 17 00:00:00 2001
From: Yulya Artyukhina <Ferril.darkdiver@gmail.com>
Date: Thu, 25 Jan 2024 13:52:55 +0100
Subject: [PATCH 05/22] Fix `routes` and `schedules` public api endpoints
 (#3751)

# What this PR does
Add check whether organization has Slack connection on update Slack
related field using public api endpoints
## Which issue(s) this PR fixes
https://github.com/grafana/oncall-private/issues/1611
## Checklist

- [x] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)
---
 CHANGELOG.md                                  |  2 +
 engine/apps/public_api/serializers/routes.py  |  2 +
 .../public_api/serializers/schedules_base.py  |  3 +
 .../public_api/tests/test_integrations.py     | 44 ++++++++++++++
 engine/apps/public_api/tests/test_routes.py   | 46 +++++++++++++++
 .../apps/public_api/tests/test_schedules.py   | 59 +++++++++++++++++++
 6 files changed, 156 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ca254640..34c4efd2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - Fixed too frequent retry of `perform_notification` task on Telegram ratelimit error by @Ferril ([#3744](https://github.com/grafana/oncall/pull/3744))
+- Add check whether organization has Slack connection on update Slack related field using public api endpoints
+  by @Ferril ([#3751](https://github.com/grafana/oncall/pull/3751))
 
 ## v1.3.92 (2024-01-23)
 
diff --git a/engine/apps/public_api/serializers/routes.py b/engine/apps/public_api/serializers/routes.py
index 878722be..0b6468db 100644
--- a/engine/apps/public_api/serializers/routes.py
+++ b/engine/apps/public_api/serializers/routes.py
@@ -86,6 +86,8 @@ class BaseChannelFilterSerializer(OrderedModelSerializer):
             slack_channel_id = slack_channel_id.upper()
             organization = self.context["request"].auth.organization
             slack_team_identity = organization.slack_team_identity
+            if not slack_team_identity:
+                raise BadRequest(detail="Slack isn't connected to this workspace")
             try:
                 slack_team_identity.get_cached_channels().get(slack_id=slack_channel_id)
             except SlackChannel.DoesNotExist:
diff --git a/engine/apps/public_api/serializers/schedules_base.py b/engine/apps/public_api/serializers/schedules_base.py
index 03e4ae60..5ea13cb4 100644
--- a/engine/apps/public_api/serializers/schedules_base.py
+++ b/engine/apps/public_api/serializers/schedules_base.py
@@ -45,6 +45,9 @@ class ScheduleBaseSerializer(serializers.ModelSerializer):
         organization = self.context["request"].auth.organization
         slack_team_identity = organization.slack_team_identity
 
+        if (slack_channel_id or user_group_id) and not slack_team_identity:
+            raise BadRequest(detail="Slack isn't connected to this workspace")
+
         if slack_channel_id is not None:
             slack_channel_id = slack_channel_id.upper()
             try:
diff --git a/engine/apps/public_api/tests/test_integrations.py b/engine/apps/public_api/tests/test_integrations.py
index 0d7a3045..8f9e2473 100644
--- a/engine/apps/public_api/tests/test_integrations.py
+++ b/engine/apps/public_api/tests/test_integrations.py
@@ -819,6 +819,50 @@ def test_update_integration_default_route(
     assert response.data["default_route"]["escalation_chain_id"] == escalation_chain.public_primary_key
 
 
+@pytest.mark.django_db
+def test_create_integration_default_route_with_slack_field(
+    make_organization_and_user_with_token,
+    make_escalation_chain,
+):
+    organization, _, token = make_organization_and_user_with_token()
+    escalation_chain = make_escalation_chain(organization)
+
+    client = APIClient()
+    data_for_create = {
+        "type": "grafana",
+        "name": "grafana_created",
+        "team_id": None,
+        "default_route": {
+            "escalation_chain_id": escalation_chain.public_primary_key,
+            "slack": {"channel_id": "TEST_SLACK_ID"},
+        },
+    }
+    url = reverse("api-public:integrations-list")
+    response = client.post(url, data=data_for_create, format="json", HTTP_AUTHORIZATION=f"{token}")
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.data["detail"] == "Slack isn't connected to this workspace"
+
+
+@pytest.mark.django_db
+def test_update_integration_default_route_with_slack_field(
+    make_organization_and_user_with_token, make_alert_receive_channel, make_channel_filter
+):
+    organization, _, token = make_organization_and_user_with_token()
+    integration = make_alert_receive_channel(organization)
+    make_channel_filter(integration, is_default=True)
+
+    client = APIClient()
+    data_for_update = {
+        "default_route": {"slack": {"channel_id": "TEST_SLACK_ID"}},
+    }
+
+    url = reverse("api-public:integrations-detail", args=[integration.public_primary_key])
+    response = client.put(url, data=data_for_update, format="json", HTTP_AUTHORIZATION=f"{token}")
+
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.data["detail"] == "Slack isn't connected to this workspace"
+
+
 @pytest.mark.django_db
 def test_cant_create_integrations_direct_paging(
     make_organization_and_user_with_token, make_team, make_alert_receive_channel, make_user_auth_headers
diff --git a/engine/apps/public_api/tests/test_routes.py b/engine/apps/public_api/tests/test_routes.py
index a03a238b..126408bc 100644
--- a/engine/apps/public_api/tests/test_routes.py
+++ b/engine/apps/public_api/tests/test_routes.py
@@ -282,6 +282,52 @@ def test_delete_route(
         new_channel_filter.refresh_from_db()
 
 
+@pytest.mark.django_db
+def test_create_route_slack_error(
+    route_public_api_setup,
+):
+    _, _, token, alert_receive_channel, escalation_chain, _ = route_public_api_setup
+
+    client = APIClient()
+
+    url = reverse("api-public:routes-list")
+    data_for_create = {
+        "integration_id": alert_receive_channel.public_primary_key,
+        "routing_regex": "testreg",
+        "escalation_chain_id": escalation_chain.public_primary_key,
+        "slack": {"channel_id": "TEST_SLACK_ID"},
+    }
+    response = client.post(url, format="json", HTTP_AUTHORIZATION=token, data=data_for_create)
+
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.data["detail"] == "Slack isn't connected to this workspace"
+
+
+@pytest.mark.django_db
+def test_update_route_slack_error(
+    route_public_api_setup,
+    make_channel_filter,
+):
+    _, _, token, alert_receive_channel, escalation_chain, _ = route_public_api_setup
+    new_channel_filter = make_channel_filter(
+        alert_receive_channel,
+        is_default=False,
+        filtering_term="testreg",
+    )
+
+    client = APIClient()
+
+    url = reverse("api-public:routes-detail", kwargs={"pk": new_channel_filter.public_primary_key})
+    data_to_update = {
+        "slack": {"channel_id": "TEST_SLACK_ID"},
+    }
+
+    response = client.put(url, format="json", HTTP_AUTHORIZATION=token, data=data_to_update)
+
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.data["detail"] == "Slack isn't connected to this workspace"
+
+
 @pytest.mark.django_db
 def test_create_route_with_messaging_backend(
     route_public_api_setup,
diff --git a/engine/apps/public_api/tests/test_schedules.py b/engine/apps/public_api/tests/test_schedules.py
index 956f59c2..6d041bf9 100644
--- a/engine/apps/public_api/tests/test_schedules.py
+++ b/engine/apps/public_api/tests/test_schedules.py
@@ -844,6 +844,65 @@ def test_create_schedule_invalid_timezone(make_organization_and_user_with_token,
     assert response.json() == {"time_zone": ["Invalid timezone"]}
 
 
+@pytest.mark.django_db
+def test_create_calendar_schedule_slack_error(make_organization_and_user_with_token):
+    organization, user, token = make_organization_and_user_with_token()
+    client = APIClient()
+
+    url = reverse("api-public:schedules-list")
+    # with slack channel id
+    data = {
+        "team_id": None,
+        "name": "schedule test name",
+        "time_zone": "Europe/Moscow",
+        "type": "calendar",
+        "slack": {
+            "channel_id": "TEST_SLACK_ID",
+        },
+    }
+
+    response = client.post(url, data=data, format="json", HTTP_AUTHORIZATION=f"{token}")
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.data["detail"] == "Slack isn't connected to this workspace"
+    # with slack user group id
+    data = {
+        "team_id": None,
+        "name": "schedule test name",
+        "time_zone": "Europe/Moscow",
+        "type": "calendar",
+        "slack": {
+            "user_group_id": "TEST_SLACK_ID",
+        },
+    }
+
+    response = client.post(url, data=data, format="json", HTTP_AUTHORIZATION=f"{token}")
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.data["detail"] == "Slack isn't connected to this workspace"
+
+
+@pytest.mark.django_db
+def test_update_calendar_schedule_slack_error(
+    make_organization_and_user_with_token,
+    make_schedule,
+):
+    organization, user, token = make_organization_and_user_with_token()
+    client = APIClient()
+    schedule = make_schedule(organization, schedule_class=OnCallScheduleCalendar)
+    url = reverse("api-public:schedules-detail", kwargs={"pk": schedule.public_primary_key})
+
+    data = {"slack": {"channel_id": "TEST_SLACK_ID"}}
+
+    response = client.put(url, data=data, format="json", HTTP_AUTHORIZATION=f"{token}")
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.data["detail"] == "Slack isn't connected to this workspace"
+
+    data = {"slack": {"user_group_id": "TEST_SLACK_ID"}}
+
+    response = client.put(url, data=data, format="json", HTTP_AUTHORIZATION=f"{token}")
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.data["detail"] == "Slack isn't connected to this workspace"
+
+
 @pytest.mark.django_db
 def test_create_ical_schedule_without_ical_url(make_organization_and_user_with_token):
     _, _, token = make_organization_and_user_with_token()

From 2abcc4563a692e4c7388ddd40283800d365c576a Mon Sep 17 00:00:00 2001
From: Joey Orlando <joey.orlando@grafana.com>
Date: Thu, 25 Jan 2024 13:46:55 -0500
Subject: [PATCH 06/22] mobile app proxy - request auth token from cloud auth
 api (#3748)

# What this PR does

Related to https://github.com/grafana/oncall-private/issues/2071

See [this
conversation](https://raintank-corp.slack.com/archives/C064R17Q1A8/p1706125615995019)
for all the context

## Checklist

- [x] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)
---
 .../tests/test_mobile_app_gateway.py          | 34 ++++----
 engine/apps/mobile_app/views.py               | 40 ++++++----
 engine/common/cloud_auth_api/__init__.py      |  0
 engine/common/cloud_auth_api/client.py        | 66 ++++++++++++++++
 .../common/cloud_auth_api/tests/__init__.py   |  0
 .../cloud_auth_api/tests/test_client.py       | 79 +++++++++++++++++++
 engine/common/oncall_gateway/client.py        |  2 +-
 engine/requirements.txt                       |  1 -
 engine/settings/base.py                       |  5 +-
 9 files changed, 193 insertions(+), 34 deletions(-)
 create mode 100644 engine/common/cloud_auth_api/__init__.py
 create mode 100644 engine/common/cloud_auth_api/client.py
 create mode 100644 engine/common/cloud_auth_api/tests/__init__.py
 create mode 100644 engine/common/cloud_auth_api/tests/test_client.py

diff --git a/engine/apps/mobile_app/tests/test_mobile_app_gateway.py b/engine/apps/mobile_app/tests/test_mobile_app_gateway.py
index f38dabb4..5c259bf1 100644
--- a/engine/apps/mobile_app/tests/test_mobile_app_gateway.py
+++ b/engine/apps/mobile_app/tests/test_mobile_app_gateway.py
@@ -10,22 +10,23 @@ from rest_framework.test import APIClient
 from rest_framework.views import APIView
 
 from apps.mobile_app.views import MobileAppGatewayView
+from common.cloud_auth_api.client import CloudAuthApiClient, CloudAuthApiException
 
 DOWNSTREAM_BACKEND = "incident"
 MOCK_DOWNSTREAM_URL = "https://mockdownstream.com"
 MOCK_DOWNSTREAM_INCIDENT_API_URL = "https://mockdownstreamincidentapi.com"
-MOCK_DOWNSTREAM_HEADERS = {"X-OnCall-Mobile-Proxy-Authorization": "Bearer mock_jwt"}
+MOCK_DOWNSTREAM_HEADERS = {"Authorization": "Bearer mock_auth_token"}
 MOCK_DOWNSTREAM_RESPONSE_DATA = {"foo": "bar"}
 
 MOCK_TIMEZONE_NOW = timezone.datetime(2021, 1, 1, 3, 4, 5, tzinfo=timezone.utc)
-MOCK_JWT = "mncn,zxcnv,mznxcv"
-MOCK_JWT_PRIVATE_KEY = "asd,mzcxn,vmnzxcv,mnzx,cvmnzaslkdjflaksjdf"
+MOCK_AUTH_TOKEN = "mncn,zxcnv,mznxcv"
 
 
 @pytest.fixture(autouse=True)
 def enable_mobile_app_gateway(settings):
     settings.MOBILE_APP_GATEWAY_ENABLED = True
-    settings.MOBILE_APP_GATEWAY_RSA_PRIVATE_KEY = MOCK_JWT_PRIVATE_KEY
+    settings.GRAFANA_CLOUD_AUTH_API_URL = "asdfasdf"
+    settings.GRAFANA_CLOUD_AUTH_API_SYSTEM_TOKEN = "zxcvzx"
 
 
 class MockResponse:
@@ -209,6 +210,7 @@ def test_mobile_app_gateway_supported_downstream_backends(
         (requests.exceptions.TooManyRedirects, (), status.HTTP_502_BAD_GATEWAY),
         (requests.exceptions.Timeout, (), status.HTTP_502_BAD_GATEWAY),
         (requests.exceptions.JSONDecodeError, ("", "", 5), status.HTTP_400_BAD_REQUEST),
+        (CloudAuthApiException, (403, "http://example.com"), status.HTTP_502_BAD_GATEWAY),
     ],
 )
 def test_mobile_app_gateway_catches_errors_from_downstream_server(
@@ -290,11 +292,11 @@ def test_mobile_app_gateway_incident_api_url(
 
 @pytest.mark.django_db
 @patch("apps.mobile_app.views.requests")
-@patch("apps.mobile_app.views.MobileAppGatewayView._construct_jwt", return_value=MOCK_JWT)
+@patch("apps.mobile_app.views.MobileAppGatewayView._get_auth_token", return_value=MOCK_AUTH_TOKEN)
 @patch("apps.mobile_app.views.MobileAppGatewayView._get_downstream_url", return_value=MOCK_DOWNSTREAM_URL)
 def test_mobile_app_gateway_proxies_headers(
     _mock_get_downstream_url,
-    _mock_construct_jwt,
+    _mock_get_auth_token,
     mock_requests,
     make_organization_and_user_with_mobile_app_auth_token,
 ):
@@ -313,16 +315,16 @@ def test_mobile_app_gateway_proxies_headers(
         MOCK_DOWNSTREAM_URL,
         data=b"",
         params={},
-        headers={"X-OnCall-Mobile-Proxy-Authorization": f"Bearer {MOCK_JWT}", "Content-Type": content_type_header},
+        headers={"Authorization": f"Bearer {MOCK_AUTH_TOKEN}", "Content-Type": content_type_header},
     )
 
 
 @pytest.mark.django_db
-@patch("apps.mobile_app.views.jwt.encode", return_value=MOCK_JWT)
+@patch("apps.mobile_app.views.CloudAuthApiClient.request_signed_token", return_value=MOCK_AUTH_TOKEN)
 @patch("apps.mobile_app.views.timezone.now", return_value=MOCK_TIMEZONE_NOW)
-def test_mobile_app_gateway_properly_generates_a_jwt(
+def test_mobile_app_gateway_properly_generates_an_auth_token(
     _mock_timezone_now,
-    mock_jwt_encode,
+    mock_request_signed_token,
     make_organization,
     make_user_for_organization,
 ):
@@ -337,10 +339,14 @@ def test_mobile_app_gateway_properly_generates_a_jwt(
     )
     user = make_user_for_organization(organization, user_id=user_id)
 
-    encoded_jwt = MobileAppGatewayView._construct_jwt(user)
+    auth_token = MobileAppGatewayView._get_auth_token(DOWNSTREAM_BACKEND, user)
 
-    assert encoded_jwt == MOCK_JWT
-    mock_jwt_encode.assert_called_once_with(
+    assert auth_token == f"{stack_id}:{MOCK_AUTH_TOKEN}"
+
+    mock_request_signed_token.assert_called_once_with(
+        organization_id,
+        stack_id,
+        [CloudAuthApiClient.Scopes.INCIDENT_WRITE],
         {
             "iat": MOCK_TIMEZONE_NOW,
             "exp": MOCK_TIMEZONE_NOW + timezone.timedelta(minutes=1),
@@ -351,6 +357,4 @@ def test_mobile_app_gateway_properly_generates_a_jwt(
             "stack_slug": organization.stack_slug,
             "org_slug": organization.org_slug,
         },
-        MOCK_JWT_PRIVATE_KEY,
-        algorithm="RS256",
     )
diff --git a/engine/apps/mobile_app/views.py b/engine/apps/mobile_app/views.py
index 8871fee5..fcd728d7 100644
--- a/engine/apps/mobile_app/views.py
+++ b/engine/apps/mobile_app/views.py
@@ -1,7 +1,7 @@
+import enum
 import logging
 import typing
 
-import jwt
 import requests
 from django.conf import settings
 from django.core.exceptions import ObjectDoesNotExist
@@ -17,6 +17,7 @@ from rest_framework.views import APIView
 from apps.mobile_app.auth import MobileAppAuthTokenAuthentication, MobileAppVerificationTokenAuthentication
 from apps.mobile_app.models import FCMDevice, MobileAppAuthToken, MobileAppUserSettings
 from apps.mobile_app.serializers import FCMDeviceSerializer, MobileAppUserSettingsSerializer
+from common.cloud_auth_api.client import CloudAuthApiClient, CloudAuthApiException
 
 if typing.TYPE_CHECKING:
     from apps.user_management.models import Organization, User
@@ -135,12 +136,10 @@ class MobileAppGatewayView(APIView):
     authentication_classes = (MobileAppAuthTokenAuthentication,)
     permission_classes = (IsAuthenticated,)
 
-    class SupportedDownstreamBackends:
+    class SupportedDownstreamBackends(enum.StrEnum):
         INCIDENT = "incident"
 
-    ALL_SUPPORTED_DOWNSTREAM_BACKENDS = [
-        SupportedDownstreamBackends.INCIDENT,
-    ]
+    ALL_SUPPORTED_DOWNSTREAM_BACKENDS = list(SupportedDownstreamBackends)
 
     def initial(self, request: Request, *args, **kwargs):
         # If the mobile app gateway is not enabled, return a 404
@@ -149,11 +148,12 @@ class MobileAppGatewayView(APIView):
         super().initial(request, *args, **kwargs)
 
     @classmethod
-    def _construct_jwt_payload(cls, user: "User") -> typing.Dict[str, typing.Any]:
+    def _construct_token_claims(cls, user: "User") -> typing.Dict[str, typing.Any]:
         organization = user.organization
         now = timezone.now()
 
         return {
+            # TODO: do we need to specify iat and exp?
             # registered claim names
             "iat": now,
             "exp": now + timezone.timedelta(minutes=1),  # jwt is short lived. expires in 1 minute.
@@ -167,19 +167,28 @@ class MobileAppGatewayView(APIView):
         }
 
     @classmethod
-    def _construct_jwt(cls, user: "User") -> str:
+    def _get_auth_token(cls, downstream_backend: SupportedDownstreamBackends, user: "User") -> str:
         """
         RS256 = asymmetric = public/private key pair
         HS256 = symmetric = shared secret (don't use this)
         """
-        return jwt.encode(
-            cls._construct_jwt_payload(user), settings.MOBILE_APP_GATEWAY_RSA_PRIVATE_KEY, algorithm="RS256"
-        )
+        token_claims = cls._construct_token_claims(user)
+        token_scopes = {
+            cls.SupportedDownstreamBackends.INCIDENT: [CloudAuthApiClient.Scopes.INCIDENT_WRITE],
+        }[downstream_backend]
+
+        org = user.organization
+        stack_id = org.stack_id
+        token = CloudAuthApiClient().request_signed_token(org.org_id, stack_id, token_scopes, token_claims)
+
+        return f"{stack_id}:{token}"
 
     @classmethod
-    def _get_downstream_headers(cls, request: Request, user: "User") -> typing.Dict[str, str]:
+    def _get_downstream_headers(
+        cls, request: Request, downstream_backend: SupportedDownstreamBackends, user: "User"
+    ) -> typing.Dict[str, str]:
         headers = {
-            "X-OnCall-Mobile-Proxy-Authorization": f"Bearer {cls._construct_jwt(user)}",
+            "Authorization": f"Bearer {cls._get_auth_token(downstream_backend, user)}",
         }
 
         if (v := request.META.get("CONTENT_TYPE", None)) is not None:
@@ -188,7 +197,9 @@ class MobileAppGatewayView(APIView):
         return headers
 
     @classmethod
-    def _get_downstream_url(cls, organization: "Organization", downstream_backend: str, downstream_path: str) -> str:
+    def _get_downstream_url(
+        cls, organization: "Organization", downstream_backend: SupportedDownstreamBackends, downstream_path: str
+    ) -> str:
         downstream_url = {
             cls.SupportedDownstreamBackends.INCIDENT: organization.grafana_incident_backend_url,
         }[downstream_backend]
@@ -217,13 +228,14 @@ class MobileAppGatewayView(APIView):
                 downstream_url,
                 data=request.body,
                 params=request.query_params.dict(),
-                headers=self._get_downstream_headers(request, user),
+                headers=self._get_downstream_headers(request, downstream_backend, user),
             )
 
             return Response(status=downstream_response.status_code, data=downstream_response.json())
         except (
             requests.exceptions.RequestException,
             requests.exceptions.JSONDecodeError,
+            CloudAuthApiException,
         ) as e:
             if isinstance(e, requests.exceptions.JSONDecodeError):
                 final_status = status.HTTP_400_BAD_REQUEST
diff --git a/engine/common/cloud_auth_api/__init__.py b/engine/common/cloud_auth_api/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/engine/common/cloud_auth_api/client.py b/engine/common/cloud_auth_api/client.py
new file mode 100644
index 00000000..21f760cc
--- /dev/null
+++ b/engine/common/cloud_auth_api/client.py
@@ -0,0 +1,66 @@
+import enum
+import typing
+from urllib.parse import urljoin
+
+import requests
+from django.conf import settings
+from rest_framework import status
+
+
+class CloudAuthApiException(Exception):
+    """A generic 400 or 500 level exception from the Cloud Auth API"""
+
+    def __init__(self, status, url, msg="", method="GET"):
+        self.url = url
+        self.status = status
+        self.method = method
+        self.msg = msg
+
+    def __str__(self):
+        return f"CloudAuthApiException: status={self.status} url={self.url} method={self.method} error={self.msg}"
+
+
+class CloudAuthApiClient:
+    class Scopes(enum.StrEnum):
+        INCIDENT_WRITE = "incident:write"
+
+    def __init__(self):
+        if settings.GRAFANA_CLOUD_AUTH_API_URL is None or settings.GRAFANA_CLOUD_AUTH_API_SYSTEM_TOKEN is None:
+            raise RuntimeError(
+                "GRAFANA_CLOUD_AUTH_API_URL and GRAFANA_CLOUD_AUTH_API_SYSTEM_TOKEN must be set"
+                "to use CloudAuthApiClient"
+            )
+
+        self.api_base_url = settings.GRAFANA_CLOUD_AUTH_API_URL
+        self.api_token = settings.GRAFANA_CLOUD_AUTH_API_SYSTEM_TOKEN
+
+    def request_signed_token(
+        self, org_id: int, stack_id: int, scopes: typing.List[Scopes], claims: typing.Dict[str, typing.Any]
+    ) -> str:
+        headers = {
+            "Authorization": f"Bearer {self.api_token}",
+            "X-Org-ID": org_id,
+            "X-Realms": [
+                {
+                    "type": "stack",
+                    "identifier": stack_id,
+                },
+            ],
+        }
+
+        url = urljoin(self.api_base_url, "v1/sign")
+        response = requests.post(
+            url,
+            headers=headers,
+            json={
+                "claims": claims,
+                "extra": {
+                    "scopes": scopes,
+                    "org_id": org_id,
+                },
+            },
+        )
+
+        if response.status_code != status.HTTP_200_OK:
+            raise CloudAuthApiException(response.status_code, url, response.text, method="POST")
+        return response.json()["data"]["token"]
diff --git a/engine/common/cloud_auth_api/tests/__init__.py b/engine/common/cloud_auth_api/tests/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/engine/common/cloud_auth_api/tests/test_client.py b/engine/common/cloud_auth_api/tests/test_client.py
new file mode 100644
index 00000000..c52d6eb0
--- /dev/null
+++ b/engine/common/cloud_auth_api/tests/test_client.py
@@ -0,0 +1,79 @@
+from unittest.mock import patch
+
+import pytest
+from rest_framework import status
+
+from common.cloud_auth_api.client import CloudAuthApiClient, CloudAuthApiException
+
+GRAFANA_CLOUD_AUTH_API_URL = "http://example.com"
+GRAFANA_CLOUD_AUTH_API_SYSTEM_TOKEN = "asdfasdfasdfasdf"
+
+
+@pytest.fixture(autouse=True)
+def configure_cloud_auth_api_client(settings):
+    settings.GRAFANA_CLOUD_AUTH_API_URL = GRAFANA_CLOUD_AUTH_API_URL
+    settings.GRAFANA_CLOUD_AUTH_API_SYSTEM_TOKEN = GRAFANA_CLOUD_AUTH_API_SYSTEM_TOKEN
+
+
+@patch("common.cloud_auth_api.client.requests")
+@pytest.mark.parametrize("response_status_code", [status.HTTP_200_OK, status.HTTP_401_UNAUTHORIZED])
+def test_request_signed_token(mock_requests, response_status_code):
+    mock_auth_token = ",mnasdlkjlakjoqwejroiqwejr"
+    mock_response_text = "error message"
+
+    org_id = 1
+    stack_id = 5
+    scopes = ["incident:write", "foo:bar"]
+    claims = {"vegetable": "carrot", "fruit": "apple"}
+
+    class MockResponse:
+        text = mock_response_text
+
+        def __init__(self, status_code):
+            self.status_code = status_code
+
+        def json(self):
+            return {
+                "data": {
+                    "token": mock_auth_token,
+                },
+            }
+
+    mock_requests.post.return_value = MockResponse(response_status_code)
+
+    def _make_request():
+        return CloudAuthApiClient().request_signed_token(org_id, stack_id, scopes, claims)
+
+    url = f"{GRAFANA_CLOUD_AUTH_API_URL}/v1/sign"
+
+    if response_status_code != status.HTTP_200_OK:
+        with pytest.raises(CloudAuthApiException) as excinfo:
+            _make_request()
+
+            assert excinfo.value.status == response_status_code
+            assert excinfo.value.method == "POST"
+            assert excinfo.value.msg == mock_response_text
+            assert excinfo.value.url == url
+    else:
+        assert _make_request() == mock_auth_token
+
+    mock_requests.post.assert_called_once_with(
+        url,
+        headers={
+            "Authorization": f"Bearer {GRAFANA_CLOUD_AUTH_API_SYSTEM_TOKEN}",
+            "X-Org-ID": org_id,
+            "X-Realms": [
+                {
+                    "type": "stack",
+                    "identifier": stack_id,
+                },
+            ],
+        },
+        json={
+            "claims": claims,
+            "extra": {
+                "scopes": scopes,
+                "org_id": org_id,
+            },
+        },
+    )
diff --git a/engine/common/oncall_gateway/client.py b/engine/common/oncall_gateway/client.py
index 947b7968..cd3eadaf 100644
--- a/engine/common/oncall_gateway/client.py
+++ b/engine/common/oncall_gateway/client.py
@@ -44,7 +44,7 @@ class ChatopsProxyAPIException(Exception):
         self.msg = msg
 
     def __str__(self):
-        return f"LabelsRepoAPIException: status={self.status} url={self.url} method={self.method} error={self.msg}"
+        return f"ChatopsProxyAPIException: status={self.status} url={self.url} method={self.method} error={self.msg}"
 
 
 class ChatopsProxyAPIClient:
diff --git a/engine/requirements.txt b/engine/requirements.txt
index b182216f..be789078 100644
--- a/engine/requirements.txt
+++ b/engine/requirements.txt
@@ -56,4 +56,3 @@ babel==2.12.1
 drf-spectacular==0.26.5
 grpcio==1.57.0
 markdown2==2.4.10
-PyJWT==2.8.0
diff --git a/engine/settings/base.py b/engine/settings/base.py
index c3bd695d..6621c0a6 100644
--- a/engine/settings/base.py
+++ b/engine/settings/base.py
@@ -726,9 +726,8 @@ FCM_DJANGO_SETTINGS = {
 }
 
 MOBILE_APP_GATEWAY_ENABLED = getenv_boolean("MOBILE_APP_GATEWAY_ENABLED", default=False)
-MOBILE_APP_GATEWAY_RSA_PRIVATE_KEY = os.environ.get("MOBILE_APP_GATEWAY_RSA_PRIVATE_KEY", None)
-if MOBILE_APP_GATEWAY_ENABLED and not MOBILE_APP_GATEWAY_RSA_PRIVATE_KEY:
-    raise RuntimeError("MOBILE_APP_GATEWAY_RSA_PRIVATE_KEY is required when MOBILE_APP_GATEWAY_ENABLED is True")
+GRAFANA_CLOUD_AUTH_API_URL = os.environ.get("GRAFANA_CLOUD_AUTH_API_URL", None)
+GRAFANA_CLOUD_AUTH_API_SYSTEM_TOKEN = os.environ.get("GRAFANA_CLOUD_AUTH_API_SYSTEM_TOKEN", None)
 
 SELF_HOSTED_SETTINGS = {
     "STACK_ID": 5,

From add6df570f99362eac60f4fdd4848c077d0025b6 Mon Sep 17 00:00:00 2001
From: Joey Orlando <joseph.t.orlando@gmail.com>
Date: Thu, 25 Jan 2024 14:19:28 -0500
Subject: [PATCH 07/22] address improperly formatted cloud auth api request
 headers

---
 .../mobile_app/tests/test_mobile_app_gateway.py    |  3 +--
 engine/apps/mobile_app/views.py                    |  5 +----
 engine/common/cloud_auth_api/client.py             | 14 +++++++++++---
 engine/common/cloud_auth_api/tests/test_client.py  | 12 ++++++++----
 4 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/engine/apps/mobile_app/tests/test_mobile_app_gateway.py b/engine/apps/mobile_app/tests/test_mobile_app_gateway.py
index 5c259bf1..a860a85a 100644
--- a/engine/apps/mobile_app/tests/test_mobile_app_gateway.py
+++ b/engine/apps/mobile_app/tests/test_mobile_app_gateway.py
@@ -344,8 +344,7 @@ def test_mobile_app_gateway_properly_generates_an_auth_token(
     assert auth_token == f"{stack_id}:{MOCK_AUTH_TOKEN}"
 
     mock_request_signed_token.assert_called_once_with(
-        organization_id,
-        stack_id,
+        organization,
         [CloudAuthApiClient.Scopes.INCIDENT_WRITE],
         {
             "iat": MOCK_TIMEZONE_NOW,
diff --git a/engine/apps/mobile_app/views.py b/engine/apps/mobile_app/views.py
index fcd728d7..46da4b5a 100644
--- a/engine/apps/mobile_app/views.py
+++ b/engine/apps/mobile_app/views.py
@@ -178,10 +178,7 @@ class MobileAppGatewayView(APIView):
         }[downstream_backend]
 
         org = user.organization
-        stack_id = org.stack_id
-        token = CloudAuthApiClient().request_signed_token(org.org_id, stack_id, token_scopes, token_claims)
-
-        return f"{stack_id}:{token}"
+        return f"{org.stack_id}:{CloudAuthApiClient().request_signed_token(org, token_scopes, token_claims)}"
 
     @classmethod
     def _get_downstream_headers(
diff --git a/engine/common/cloud_auth_api/client.py b/engine/common/cloud_auth_api/client.py
index 21f760cc..193051a8 100644
--- a/engine/common/cloud_auth_api/client.py
+++ b/engine/common/cloud_auth_api/client.py
@@ -6,6 +6,9 @@ import requests
 from django.conf import settings
 from rest_framework import status
 
+if typing.TYPE_CHECKING:
+    from apps.user_management.models import Organization
+
 
 class CloudAuthApiException(Exception):
     """A generic 400 or 500 level exception from the Cloud Auth API"""
@@ -35,15 +38,20 @@ class CloudAuthApiClient:
         self.api_token = settings.GRAFANA_CLOUD_AUTH_API_SYSTEM_TOKEN
 
     def request_signed_token(
-        self, org_id: int, stack_id: int, scopes: typing.List[Scopes], claims: typing.Dict[str, typing.Any]
+        self, org: "Organization", scopes: typing.List[Scopes], claims: typing.Dict[str, typing.Any]
     ) -> str:
+        org_id = org.org_id
+        stack_id = org.stack_id
+
         headers = {
             "Authorization": f"Bearer {self.api_token}",
-            "X-Org-ID": org_id,
+            # need to cast to str otherwise - requests.exceptions.InvalidHeader: Header part ... from ('X-Org-ID', 5000)
+            # must be of type str or bytes, not <class 'int'>
+            "X-Org-ID": str(org_id),
             "X-Realms": [
                 {
                     "type": "stack",
-                    "identifier": stack_id,
+                    "identifier": str(stack_id),
                 },
             ],
         }
diff --git a/engine/common/cloud_auth_api/tests/test_client.py b/engine/common/cloud_auth_api/tests/test_client.py
index c52d6eb0..8c0a9bd1 100644
--- a/engine/common/cloud_auth_api/tests/test_client.py
+++ b/engine/common/cloud_auth_api/tests/test_client.py
@@ -16,13 +16,17 @@ def configure_cloud_auth_api_client(settings):
 
 
 @patch("common.cloud_auth_api.client.requests")
+@pytest.mark.django_db
 @pytest.mark.parametrize("response_status_code", [status.HTTP_200_OK, status.HTTP_401_UNAUTHORIZED])
-def test_request_signed_token(mock_requests, response_status_code):
+def test_request_signed_token(mock_requests, make_organization, response_status_code):
     mock_auth_token = ",mnasdlkjlakjoqwejroiqwejr"
     mock_response_text = "error message"
 
     org_id = 1
     stack_id = 5
+
+    organization = make_organization(stack_id=stack_id, org_id=org_id)
+
     scopes = ["incident:write", "foo:bar"]
     claims = {"vegetable": "carrot", "fruit": "apple"}
 
@@ -42,7 +46,7 @@ def test_request_signed_token(mock_requests, response_status_code):
     mock_requests.post.return_value = MockResponse(response_status_code)
 
     def _make_request():
-        return CloudAuthApiClient().request_signed_token(org_id, stack_id, scopes, claims)
+        return CloudAuthApiClient().request_signed_token(organization, scopes, claims)
 
     url = f"{GRAFANA_CLOUD_AUTH_API_URL}/v1/sign"
 
@@ -61,11 +65,11 @@ def test_request_signed_token(mock_requests, response_status_code):
         url,
         headers={
             "Authorization": f"Bearer {GRAFANA_CLOUD_AUTH_API_SYSTEM_TOKEN}",
-            "X-Org-ID": org_id,
+            "X-Org-ID": str(org_id),
             "X-Realms": [
                 {
                     "type": "stack",
-                    "identifier": stack_id,
+                    "identifier": str(stack_id),
                 },
             ],
         },

From 4220199a86a05066752eeae4f2adc7337fefdb77 Mon Sep 17 00:00:00 2001
From: Joey Orlando <joseph.t.orlando@gmail.com>
Date: Thu, 25 Jan 2024 14:41:35 -0500
Subject: [PATCH 08/22] cast X-Realms header to jsonified string

---
 engine/common/cloud_auth_api/client.py           | 16 ++++++++++------
 .../common/cloud_auth_api/tests/test_client.py   | 15 +++++++++------
 2 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/engine/common/cloud_auth_api/client.py b/engine/common/cloud_auth_api/client.py
index 193051a8..12b86961 100644
--- a/engine/common/cloud_auth_api/client.py
+++ b/engine/common/cloud_auth_api/client.py
@@ -1,4 +1,5 @@
 import enum
+import json
 import typing
 from urllib.parse import urljoin
 
@@ -43,17 +44,20 @@ class CloudAuthApiClient:
         org_id = org.org_id
         stack_id = org.stack_id
 
+        # NOTE: header values must always be strings
         headers = {
             "Authorization": f"Bearer {self.api_token}",
             # need to cast to str otherwise - requests.exceptions.InvalidHeader: Header part ... from ('X-Org-ID', 5000)
             # must be of type str or bytes, not <class 'int'>
             "X-Org-ID": str(org_id),
-            "X-Realms": [
-                {
-                    "type": "stack",
-                    "identifier": str(stack_id),
-                },
-            ],
+            "X-Realms": json.dumps(
+                [
+                    {
+                        "type": "stack",
+                        "identifier": str(stack_id),
+                    },
+                ]
+            ),
         }
 
         url = urljoin(self.api_base_url, "v1/sign")
diff --git a/engine/common/cloud_auth_api/tests/test_client.py b/engine/common/cloud_auth_api/tests/test_client.py
index 8c0a9bd1..2a10626c 100644
--- a/engine/common/cloud_auth_api/tests/test_client.py
+++ b/engine/common/cloud_auth_api/tests/test_client.py
@@ -1,3 +1,4 @@
+import json
 from unittest.mock import patch
 
 import pytest
@@ -66,12 +67,14 @@ def test_request_signed_token(mock_requests, make_organization, response_status_
         headers={
             "Authorization": f"Bearer {GRAFANA_CLOUD_AUTH_API_SYSTEM_TOKEN}",
             "X-Org-ID": str(org_id),
-            "X-Realms": [
-                {
-                    "type": "stack",
-                    "identifier": str(stack_id),
-                },
-            ],
+            "X-Realms": json.dumps(
+                [
+                    {
+                        "type": "stack",
+                        "identifier": str(stack_id),
+                    },
+                ]
+            ),
         },
         json={
             "claims": claims,

From baddc640925c818b16c9234493f6d5b3e00d403e Mon Sep 17 00:00:00 2001
From: Joey Orlando <joseph.t.orlando@gmail.com>
Date: Thu, 25 Jan 2024 15:14:08 -0500
Subject: [PATCH 09/22] remove iat and exp from auth api token claims

---
 .../tests/test_mobile_app_gateway.py          |  6 ----
 engine/apps/mobile_app/views.py               | 32 ++++++-------------
 2 files changed, 10 insertions(+), 28 deletions(-)

diff --git a/engine/apps/mobile_app/tests/test_mobile_app_gateway.py b/engine/apps/mobile_app/tests/test_mobile_app_gateway.py
index a860a85a..8dcd9766 100644
--- a/engine/apps/mobile_app/tests/test_mobile_app_gateway.py
+++ b/engine/apps/mobile_app/tests/test_mobile_app_gateway.py
@@ -4,7 +4,6 @@ from unittest.mock import patch
 import pytest
 import requests
 from django.urls import reverse
-from django.utils import timezone
 from rest_framework import status
 from rest_framework.test import APIClient
 from rest_framework.views import APIView
@@ -18,7 +17,6 @@ MOCK_DOWNSTREAM_INCIDENT_API_URL = "https://mockdownstreamincidentapi.com"
 MOCK_DOWNSTREAM_HEADERS = {"Authorization": "Bearer mock_auth_token"}
 MOCK_DOWNSTREAM_RESPONSE_DATA = {"foo": "bar"}
 
-MOCK_TIMEZONE_NOW = timezone.datetime(2021, 1, 1, 3, 4, 5, tzinfo=timezone.utc)
 MOCK_AUTH_TOKEN = "mncn,zxcnv,mznxcv"
 
 
@@ -321,9 +319,7 @@ def test_mobile_app_gateway_proxies_headers(
 
 @pytest.mark.django_db
 @patch("apps.mobile_app.views.CloudAuthApiClient.request_signed_token", return_value=MOCK_AUTH_TOKEN)
-@patch("apps.mobile_app.views.timezone.now", return_value=MOCK_TIMEZONE_NOW)
 def test_mobile_app_gateway_properly_generates_an_auth_token(
-    _mock_timezone_now,
     mock_request_signed_token,
     make_organization,
     make_user_for_organization,
@@ -347,8 +343,6 @@ def test_mobile_app_gateway_properly_generates_an_auth_token(
         organization,
         [CloudAuthApiClient.Scopes.INCIDENT_WRITE],
         {
-            "iat": MOCK_TIMEZONE_NOW,
-            "exp": MOCK_TIMEZONE_NOW + timezone.timedelta(minutes=1),
             "user_id": user.user_id,  # grafana user ID
             "user_email": user.email,
             "stack_id": organization.stack_id,
diff --git a/engine/apps/mobile_app/views.py b/engine/apps/mobile_app/views.py
index 46da4b5a..0e5b172d 100644
--- a/engine/apps/mobile_app/views.py
+++ b/engine/apps/mobile_app/views.py
@@ -5,7 +5,6 @@ import typing
 import requests
 from django.conf import settings
 from django.core.exceptions import ObjectDoesNotExist
-from django.utils import timezone
 from fcm_django.api.rest_framework import FCMDeviceAuthorizedViewSet as BaseFCMDeviceAuthorizedViewSet
 from rest_framework import mixins, status, viewsets
 from rest_framework.exceptions import NotFound, ParseError
@@ -147,37 +146,26 @@ class MobileAppGatewayView(APIView):
             raise NotFound
         super().initial(request, *args, **kwargs)
 
-    @classmethod
-    def _construct_token_claims(cls, user: "User") -> typing.Dict[str, typing.Any]:
-        organization = user.organization
-        now = timezone.now()
-
-        return {
-            # TODO: do we need to specify iat and exp?
-            # registered claim names
-            "iat": now,
-            "exp": now + timezone.timedelta(minutes=1),  # jwt is short lived. expires in 1 minute.
-            # custom data
-            "user_id": user.user_id,  # grafana user ID
-            "user_email": user.email,
-            "stack_id": organization.stack_id,
-            "organization_id": organization.org_id,  # grafana org ID
-            "stack_slug": organization.stack_slug,
-            "org_slug": organization.org_slug,
-        }
-
     @classmethod
     def _get_auth_token(cls, downstream_backend: SupportedDownstreamBackends, user: "User") -> str:
         """
         RS256 = asymmetric = public/private key pair
         HS256 = symmetric = shared secret (don't use this)
         """
-        token_claims = cls._construct_token_claims(user)
+        org = user.organization
+        token_claims = {
+            "user_id": user.user_id,  # grafana user ID
+            "user_email": user.email,
+            "stack_id": org.stack_id,
+            "organization_id": org.org_id,  # grafana org ID
+            "stack_slug": org.stack_slug,
+            "org_slug": org.org_slug,
+        }
+
         token_scopes = {
             cls.SupportedDownstreamBackends.INCIDENT: [CloudAuthApiClient.Scopes.INCIDENT_WRITE],
         }[downstream_backend]
 
-        org = user.organization
         return f"{org.stack_id}:{CloudAuthApiClient().request_signed_token(org, token_scopes, token_claims)}"
 
     @classmethod

From 19686a9cd65aa2725165f5e6c32f8caf6246d70e Mon Sep 17 00:00:00 2001
From: Joey Orlando <joseph.t.orlando@gmail.com>
Date: Fri, 26 Jan 2024 10:48:35 -0500
Subject: [PATCH 10/22] add some more logging to mobile app proxy

---
 engine/apps/mobile_app/views.py        |  5 +++++
 engine/common/cloud_auth_api/client.py | 13 +++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/engine/apps/mobile_app/views.py b/engine/apps/mobile_app/views.py
index 0e5b172d..18f53032 100644
--- a/engine/apps/mobile_app/views.py
+++ b/engine/apps/mobile_app/views.py
@@ -206,6 +206,10 @@ class MobileAppGatewayView(APIView):
             raise NotFound(f"Downstream backend {downstream_backend} not supported")
 
         downstream_url = self._get_downstream_url(user.organization, downstream_backend, downstream_path)
+
+        log_msg_common = f"{downstream_backend} request to {method} {downstream_url}"
+        logger.info(f"Proxying {log_msg_common}")
+
         downstream_request_handler = getattr(requests, method.lower())
 
         try:
@@ -216,6 +220,7 @@ class MobileAppGatewayView(APIView):
                 headers=self._get_downstream_headers(request, downstream_backend, user),
             )
 
+            logger.info(f"Successfully proxied {log_msg_common}")
             return Response(status=downstream_response.status_code, data=downstream_response.json())
         except (
             requests.exceptions.RequestException,
diff --git a/engine/common/cloud_auth_api/client.py b/engine/common/cloud_auth_api/client.py
index 12b86961..8cfc3598 100644
--- a/engine/common/cloud_auth_api/client.py
+++ b/engine/common/cloud_auth_api/client.py
@@ -1,5 +1,6 @@
 import enum
 import json
+import logging
 import typing
 from urllib.parse import urljoin
 
@@ -11,6 +12,9 @@ if typing.TYPE_CHECKING:
     from apps.user_management.models import Organization
 
 
+logger = logging.getLogger(__name__)
+
+
 class CloudAuthApiException(Exception):
     """A generic 400 or 500 level exception from the Cloud Auth API"""
 
@@ -61,6 +65,9 @@ class CloudAuthApiClient:
         }
 
         url = urljoin(self.api_base_url, "v1/sign")
+        common_log_msg = f"org_id={org_id} stack_id={stack_id} url={url}"
+        logger.info(f"Requesting signed token from Cloud Auth API {common_log_msg}")
+
         response = requests.post(
             url,
             headers=headers,
@@ -74,5 +81,11 @@ class CloudAuthApiClient:
         )
 
         if response.status_code != status.HTTP_200_OK:
+            logger.warning(
+                f"Got non-HTTP 200 when attempting to request signed token from Cloud Auth API {common_log_msg} "
+                f"status_code={response.status_code} response={response.text}"
+            )
             raise CloudAuthApiException(response.status_code, url, response.text, method="POST")
+
+        logger.info(f"Successfully requested signed token from Cloud Auth API {common_log_msg}")
         return response.json()["data"]["token"]

From c5917f4d32290c3d26697f2025e3670aed4ef14a Mon Sep 17 00:00:00 2001
From: Joey Orlando <joseph.t.orlando@gmail.com>
Date: Fri, 26 Jan 2024 14:38:16 -0500
Subject: [PATCH 11/22] pass str(org_id) to cloud auth api

---
 engine/common/cloud_auth_api/client.py            | 9 +++++----
 engine/common/cloud_auth_api/tests/test_client.py | 2 +-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/engine/common/cloud_auth_api/client.py b/engine/common/cloud_auth_api/client.py
index 8cfc3598..0694944a 100644
--- a/engine/common/cloud_auth_api/client.py
+++ b/engine/common/cloud_auth_api/client.py
@@ -45,20 +45,21 @@ class CloudAuthApiClient:
     def request_signed_token(
         self, org: "Organization", scopes: typing.List[Scopes], claims: typing.Dict[str, typing.Any]
     ) -> str:
-        org_id = org.org_id
-        stack_id = org.stack_id
+        # The Cloud Auth API expects the org_id and stack_id to be strings
+        org_id = str(org.org_id)
+        stack_id = str(org.stack_id)
 
         # NOTE: header values must always be strings
         headers = {
             "Authorization": f"Bearer {self.api_token}",
             # need to cast to str otherwise - requests.exceptions.InvalidHeader: Header part ... from ('X-Org-ID', 5000)
             # must be of type str or bytes, not <class 'int'>
-            "X-Org-ID": str(org_id),
+            "X-Org-ID": org_id,
             "X-Realms": json.dumps(
                 [
                     {
                         "type": "stack",
-                        "identifier": str(stack_id),
+                        "identifier": stack_id,
                     },
                 ]
             ),
diff --git a/engine/common/cloud_auth_api/tests/test_client.py b/engine/common/cloud_auth_api/tests/test_client.py
index 2a10626c..4ef028f4 100644
--- a/engine/common/cloud_auth_api/tests/test_client.py
+++ b/engine/common/cloud_auth_api/tests/test_client.py
@@ -80,7 +80,7 @@ def test_request_signed_token(mock_requests, make_organization, response_status_
             "claims": claims,
             "extra": {
                 "scopes": scopes,
-                "org_id": org_id,
+                "org_id": str(org_id),
             },
         },
     )

From bb7ce3d1337aee5e96181c3a17a108744de7e805 Mon Sep 17 00:00:00 2001
From: Maxim Mordasov <maxim.mordasov@grafana.com>
Date: Mon, 29 Jan 2024 12:23:21 +0300
Subject: [PATCH 12/22] Fix dynamic labels & multi-label extraction labels
 (#3753)

# What this PR does

Fix dynamic labels & multi-label extraction labels

## Which issue(s) this PR fixes

https://github.com/grafana/oncall/issues/3750

## Checklist

- [ ] Unit, integration, and e2e (if applicable) tests updated
- [ ] Documentation added (or `pr:no public docs` PR label added if not
required)
- [ ] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)
---
 CHANGELOG.md                                             | 1 +
 .../IntegrationLabelsForm/IntegrationLabelsForm.tsx      | 9 +++++----
 .../OutgoingWebhookForm/OutgoingWebhookForm.tsx          | 1 +
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 34c4efd2..e981536f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - Fixed too frequent retry of `perform_notification` task on Telegram ratelimit error by @Ferril ([#3744](https://github.com/grafana/oncall/pull/3744))
+- Dynamic labels & multi-label extraction label are broken ([#3750](https://github.com/grafana/oncall/issues/3750))
 - Add check whether organization has Slack connection on update Slack related field using public api endpoints
   by @Ferril ([#3751](https://github.com/grafana/oncall/pull/3751))
 
diff --git a/grafana-plugin/src/containers/IntegrationLabelsForm/IntegrationLabelsForm.tsx b/grafana-plugin/src/containers/IntegrationLabelsForm/IntegrationLabelsForm.tsx
index 73f54d1e..ac53937d 100644
--- a/grafana-plugin/src/containers/IntegrationLabelsForm/IntegrationLabelsForm.tsx
+++ b/grafana-plugin/src/containers/IntegrationLabelsForm/IntegrationLabelsForm.tsx
@@ -206,9 +206,10 @@ const IntegrationLabelsForm = observer((props: IntegrationLabelsFormProps) => {
           templates={templates}
           templateBody={alertGroupLabels.custom[customLabelIndexToShowTemplateEditor].value.name}
           onHide={() => setCustomLabelIndexToShowTemplateEditor(undefined)}
-          onUpdateTemplates={({ alert_group_labels }) => {
+          onUpdateTemplates={(templates) => {
             const newCustom = [...alertGroupLabels.custom];
-            newCustom[customLabelIndexToShowTemplateEditor].value.name = alert_group_labels;
+            newCustom[customLabelIndexToShowTemplateEditor].value.name =
+              templates[LabelTemplateOptions.AlertGroupDynamicLabel.key];
 
             setAlertGroupLabels({
               ...alertGroupLabels,
@@ -229,10 +230,10 @@ const IntegrationLabelsForm = observer((props: IntegrationLabelsFormProps) => {
           templates={templates}
           templateBody={alertGroupLabels.template}
           onHide={() => setShowTemplateEditor(false)}
-          onUpdateTemplates={({ alert_group_labels }) => {
+          onUpdateTemplates={(templates) => {
             setAlertGroupLabels({
               ...alertGroupLabels,
-              template: alert_group_labels,
+              template: templates[LabelTemplateOptions.AlertGroupMultiLabel.key],
             });
 
             setShowTemplateEditor(undefined);
diff --git a/grafana-plugin/src/containers/OutgoingWebhookForm/OutgoingWebhookForm.tsx b/grafana-plugin/src/containers/OutgoingWebhookForm/OutgoingWebhookForm.tsx
index c2714029..f3fb474a 100644
--- a/grafana-plugin/src/containers/OutgoingWebhookForm/OutgoingWebhookForm.tsx
+++ b/grafana-plugin/src/containers/OutgoingWebhookForm/OutgoingWebhookForm.tsx
@@ -177,6 +177,7 @@ const OutgoingWebhookForm = observer((props: OutgoingWebhookFormProps) => {
       preset: selectedPreset?.id,
       trigger_type: null,
       http_method: 'POST',
+      forward_all: true,
     };
   } else if (isNewOrCopy) {
     data = { ...outgoingWebhookStore.items[id], is_legacy: false, name: '' };

From 29dadcc07fca347f6eb1f88dd43b807cbebe40be Mon Sep 17 00:00:00 2001
From: Maxim Mordasov <maxim.mordasov@grafana.com>
Date: Mon, 29 Jan 2024 17:15:56 +0300
Subject: [PATCH 13/22] Show warning when edit AM-based resolve templates
 (#3764)

# What this PR does

show autoresolve template for ALL integrations when autoresolve is ON
show modal on edit button click for alertmanager based integrations

<img width="557" alt="Screenshot 2024-01-29 at 13 37 08"
src="https://github.com/grafana/oncall/assets/20116910/64569912-4601-4be1-b51e-b040906a3ffb">


## Which issue(s) this PR fixes

Frontend part of https://github.com/grafana/oncall-private/issues/2260


## Checklist

- [ ] Unit, integration, and e2e (if applicable) tests updated
- [ ] Documentation added (or `pr:no public docs` PR label added if not
required)
- [ ] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)

---------

Co-authored-by: Vadim Stepanov <vadimkerr@gmail.com>
---
 CHANGELOG.md                                  |  1 +
 .../Integrations/IntegrationTemplateBlock.tsx | 27 +++++++---
 .../components/WithConfirm/WithConfirm.tsx    | 18 +++++--
 .../IntegrationTemplatesList.tsx              | 52 ++++++-------------
 4 files changed, 52 insertions(+), 46 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e981536f..bdf2b257 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - Improved logging during plugin sync and install with Grafana @mderynck ([#3730](https://github.com/grafana/oncall/pull/3730))
+- Add a modal for autoresolve and grouping templates for Alertmanager-based integrations ([#3764](https://github.com/grafana/oncall/pull/3764))
 
 ### Fixed
 
diff --git a/grafana-plugin/src/components/Integrations/IntegrationTemplateBlock.tsx b/grafana-plugin/src/components/Integrations/IntegrationTemplateBlock.tsx
index 889eb9d2..ff77ac4f 100644
--- a/grafana-plugin/src/components/Integrations/IntegrationTemplateBlock.tsx
+++ b/grafana-plugin/src/components/Integrations/IntegrationTemplateBlock.tsx
@@ -1,8 +1,9 @@
 import React from 'react';
 
-import { Button, InlineLabel, LoadingPlaceholder, Tooltip } from '@grafana/ui';
+import { Button, InlineLabel, LoadingPlaceholder } from '@grafana/ui';
 import cn from 'classnames/bind';
 
+import WithConfirm from 'components/WithConfirm/WithConfirm';
 import { WithPermissionControlTooltip } from 'containers/WithPermissionControl/WithPermissionControlTooltip';
 import { UserActions } from 'utils/authorization';
 
@@ -17,6 +18,7 @@ interface IntegrationTemplateBlockProps {
   renderInput: () => React.ReactNode;
   showHelp?: boolean;
   isLoading?: boolean;
+  warningOnEdit?: string;
 
   onEdit: (templateName) => void;
   onRemove?: () => void;
@@ -31,6 +33,7 @@ const IntegrationTemplateBlock: React.FC<IntegrationTemplateBlockProps> = ({
   onEdit,
   onRemove,
   isLoading,
+  warningOnEdit,
 }) => {
   let tooltip = labelTooltip;
   let inlineLabelProps = { tooltip };
@@ -48,14 +51,24 @@ const IntegrationTemplateBlock: React.FC<IntegrationTemplateBlockProps> = ({
         {isTemplateEditable && (
           <>
             <WithPermissionControlTooltip userAction={UserActions.IntegrationsWrite}>
-              <Tooltip content={'Edit'}>
-                <Button variant={'secondary'} icon={'edit'} tooltip="Edit" size={'md'} onClick={onEdit} />
-              </Tooltip>
+              <WithConfirm skip={!warningOnEdit} title="" body={warningOnEdit} confirmText="Edit">
+                <Button variant={'secondary'} icon="edit" tooltip="Edit" size="md" onClick={onEdit} />
+              </WithConfirm>
             </WithPermissionControlTooltip>
             <WithPermissionControlTooltip userAction={UserActions.IntegrationsWrite}>
-              <Tooltip content={'Reset template to default'}>
-                <Button variant={'secondary'} icon={'times'} size={'md'} onClick={onRemove} />
-              </Tooltip>
+              <WithConfirm
+                title=""
+                body={`Are you sure you want to reset the ${label} template to its default state?`}
+                confirmText="Reset"
+              >
+                <Button
+                  variant="secondary"
+                  icon="times"
+                  size="md"
+                  tooltip="Reset template to default"
+                  onClick={onRemove}
+                />
+              </WithConfirm>
             </WithPermissionControlTooltip>
           </>
         )}
diff --git a/grafana-plugin/src/components/WithConfirm/WithConfirm.tsx b/grafana-plugin/src/components/WithConfirm/WithConfirm.tsx
index 569cee31..0a725150 100644
--- a/grafana-plugin/src/components/WithConfirm/WithConfirm.tsx
+++ b/grafana-plugin/src/components/WithConfirm/WithConfirm.tsx
@@ -5,6 +5,7 @@ import { ConfirmModal, ConfirmModalProps } from '@grafana/ui';
 type WithConfirmProps = Partial<ConfirmModalProps> & {
   children: ReactElement;
   disabled?: boolean;
+  skip?: boolean;
 };
 
 const WithConfirm: React.FC<WithConfirmProps> = ({
@@ -15,14 +16,23 @@ const WithConfirm: React.FC<WithConfirmProps> = ({
   confirmationText,
   children,
   disabled,
+  skip = false,
 }) => {
   const [showConfirmation, setShowConfirmation] = useState<boolean>(false);
 
-  const onClickCallback = useCallback((event) => {
-    event.stopPropagation();
+  const onClickCallback = useCallback(
+    (event) => {
+      if (skip) {
+        children.props.onClick?.();
+        return;
+      }
 
-    setShowConfirmation(true);
-  }, []);
+      event.stopPropagation();
+
+      setShowConfirmation(true);
+    },
+    [skip]
+  );
 
   const onConfirmCallback = useCallback(() => {
     if (children.props.onClick) {
diff --git a/grafana-plugin/src/containers/IntegrationContainers/IntegrationTemplatesList.tsx b/grafana-plugin/src/containers/IntegrationContainers/IntegrationTemplatesList.tsx
index 9d3708c8..c40e49a9 100644
--- a/grafana-plugin/src/containers/IntegrationContainers/IntegrationTemplatesList.tsx
+++ b/grafana-plugin/src/containers/IntegrationContainers/IntegrationTemplatesList.tsx
@@ -1,6 +1,6 @@
 import React, { useState, useCallback } from 'react';
 
-import { ConfirmModal, InlineSwitch, Tooltip } from '@grafana/ui';
+import { InlineSwitch, Tooltip } from '@grafana/ui';
 import cn from 'classnames/bind';
 import { observer } from 'mobx-react';
 
@@ -39,7 +39,6 @@ const IntegrationTemplateList: React.FC<IntegrationTemplateListProps> = observer
     const { alertReceiveChannelStore, features } = useStore();
     const [isRestoringTemplate, setIsRestoringTemplate] = useState<boolean>(false);
     const [templateRestoreName, setTemplateRestoreName] = useState<string>(undefined);
-    const [showConfirmModal, setShowConfirmModal] = useState(false);
     const [autoresolveValue, setAutoresolveValue] = useState<boolean>(alertReceiveChannelAllowSourceBasedResolving);
 
     const handleSaveClick = useCallback((event: React.ChangeEvent<HTMLInputElement>) => {
@@ -57,19 +56,6 @@ const IntegrationTemplateList: React.FC<IntegrationTemplateListProps> = observer
 
     return (
       <div className={cx('integration__templates')}>
-        {showConfirmModal && (
-          <ConfirmModal
-            isOpen={true}
-            title={undefined}
-            confirmText={'Reset'}
-            dismissText="Cancel"
-            body={'Are you sure you want to reset Slack Title template to default state?'}
-            description={undefined}
-            confirmationText={undefined}
-            onConfirm={() => onResetTemplate(templateRestoreName)}
-            onDismiss={() => onDismiss()}
-          />
-        )}
         {templatesToRender.map((template, key) => (
           <IntegrationBlockItem key={key}>
             <VerticalBlock>
@@ -78,10 +64,18 @@ const IntegrationTemplateList: React.FC<IntegrationTemplateListProps> = observer
                 <IntegrationTemplateBlock
                   key={innerKey}
                   isLoading={isRestoringTemplate && templateRestoreName === contents.name}
-                  onRemove={() => onShowConfirmModal(contents.name)}
+                  onRemove={() => onResetTemplate(contents.name)}
                   label={contents.label}
                   labelTooltip={contents.labelTooltip}
-                  isTemplateEditable={isResolveConditionTemplateEditable(contents.name)}
+                  isTemplateEditable={isTemplateEditable(contents.name)}
+                  warningOnEdit={
+                    alertReceiveChannelIsBasedOnAlertManager &&
+                    (isGroupingIdTemplate(contents.name) || isResolveConditionTemplate(contents.name))
+                      ? 'Caution: Changing this template can lead to unexpected alert behavior, ' +
+                        'especially if grouping is enabled in AlertManager/Grafana Alerting. ' +
+                        'Please proceed only if you are completely sure of the modifications you are about to make.'
+                      : undefined
+                  }
                   renderInput={() => (
                     <>
                       {isResolveConditionTemplate(contents.name) && (
@@ -90,10 +84,11 @@ const IntegrationTemplateList: React.FC<IntegrationTemplateListProps> = observer
                             value={autoresolveValue}
                             onChange={handleSaveClick}
                             className={cx('inline-switch')}
+                            transparent
                           />
                         </Tooltip>
                       )}
-                      {isResolveConditionTemplateEditable(contents.name) && (
+                      {isTemplateEditable(contents.name) && (
                         <div
                           className={cx('input', { 'input-with-toggle': isResolveConditionTemplate(contents.name) })}
                         >
@@ -121,25 +116,16 @@ const IntegrationTemplateList: React.FC<IntegrationTemplateListProps> = observer
       </div>
     );
 
-    function isResolveConditionTemplateEditable(templateName: string) {
-      return (
-        !(alertReceiveChannelIsBasedOnAlertManager && isResolveConditionTemplate(templateName)) &&
-        (alertReceiveChannelAllowSourceBasedResolving || !isResolveConditionTemplate(templateName))
-      );
+    function isTemplateEditable(templateName: string) {
+      return alertReceiveChannelAllowSourceBasedResolving || !isResolveConditionTemplate(templateName);
     }
 
     function isResolveConditionTemplate(templateName: string) {
       return templateName === 'resolve_condition_template';
     }
 
-    function onShowConfirmModal(templateName: string) {
-      setTemplateRestoreName(templateName);
-      setShowConfirmModal(true);
-    }
-
-    function onDismiss() {
-      setTemplateRestoreName(undefined);
-      setShowConfirmModal(false);
+    function isGroupingIdTemplate(templateName: string) {
+      return templateName === 'grouping_id_template';
     }
 
     function onResetTemplate(templateName: string) {
@@ -157,10 +143,6 @@ const IntegrationTemplateList: React.FC<IntegrationTemplateListProps> = observer
           } else {
             openErrorNotification(err.message);
           }
-        })
-        .finally(() => {
-          setIsRestoringTemplate(false);
-          setShowConfirmModal(false);
         });
     }
   }

From e17bad4cddcaa3aad69641da8d82f7deb8763592 Mon Sep 17 00:00:00 2001
From: Yulya Artyukhina <Ferril.darkdiver@gmail.com>
Date: Mon, 29 Jan 2024 15:32:03 +0100
Subject: [PATCH 14/22] Fix calculating number of oncall users per team (#3773)

# What this PR does
Fixes calculating number of oncall users per team for `team` api
endpoint

## Checklist

- [x] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)
---
 CHANGELOG.md                        | 1 +
 engine/apps/api/serializers/team.py | 6 +++---
 engine/apps/api/tests/test_team.py  | 6 ++++--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bdf2b257..3329f979 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Dynamic labels & multi-label extraction label are broken ([#3750](https://github.com/grafana/oncall/issues/3750))
 - Add check whether organization has Slack connection on update Slack related field using public api endpoints
   by @Ferril ([#3751](https://github.com/grafana/oncall/pull/3751))
+- Fixed calculating the number of on-call users per team by @Ferril ([#3773](https://github.com/grafana/oncall/pull/3773))
 
 ## v1.3.92 (2024-01-23)
 
diff --git a/engine/apps/api/serializers/team.py b/engine/apps/api/serializers/team.py
index b7263bcd..3e8b49de 100644
--- a/engine/apps/api/serializers/team.py
+++ b/engine/apps/api/serializers/team.py
@@ -50,10 +50,10 @@ class TeamLongSerializer(TeamSerializer):
         ]
 
     def get_number_of_users_currently_oncall(self, obj: Team) -> int:
-        num_of_users_oncall_for_team = 0
+        oncall_users = set()
 
         for schedule, users in self.context["schedules_with_oncall_users"].items():
             if schedule.team == obj:
-                num_of_users_oncall_for_team += len(users)
+                oncall_users |= set(users)
 
-        return num_of_users_oncall_for_team
+        return len(oncall_users)
diff --git a/engine/apps/api/tests/test_team.py b/engine/apps/api/tests/test_team.py
index d5aeeb56..b0ef4a97 100644
--- a/engine/apps/api/tests/test_team.py
+++ b/engine/apps/api/tests/test_team.py
@@ -166,7 +166,7 @@ def test_teams_number_of_users_currently_oncall_attribute_works_properly(
     team3 = make_team(organization)
 
     team1.users.set([user1, user2, user3])
-    team2.users.set([user1])
+    team2.users.set([user1, user2])
     team3.users.set([user3])
 
     def _make_schedule(team=None, oncall_users=None):
@@ -193,7 +193,9 @@ def test_teams_number_of_users_currently_oncall_attribute_works_properly(
             schedule.refresh_ical_file()
             schedule.refresh_ical_final_schedule()
 
+    # create two schedules for team 1 to make sure that every user is calculated only once per team
     _make_schedule(team=team1, oncall_users=[user1, user2])
+    _make_schedule(team=team1, oncall_users=[user1, user3])
     _make_schedule(team=team2, oncall_users=[user1])
     _make_schedule(team=team3, oncall_users=[])
 
@@ -203,7 +205,7 @@ def test_teams_number_of_users_currently_oncall_attribute_works_properly(
     response = client.get(url, format="json", **make_user_auth_headers(user1, token))
 
     number_of_oncall_users = {
-        team1.public_primary_key: 2,
+        team1.public_primary_key: 3,
         team2.public_primary_key: 1,
         team3.public_primary_key: 0,
         NO_TEAM_VALUE: 0,  # this covers the case of "No team"

From 65cdcf93ba388ab25fe0b865c5f0257cc7009314 Mon Sep 17 00:00:00 2001
From: Matias Bordese <mbordese@gmail.com>
Date: Mon, 29 Jan 2024 14:41:20 -0300
Subject: [PATCH 15/22] Add is_currently_oncall information to internal user
 details API (#3765)

Related to https://github.com/grafana/oncall/issues/3164
---
 CHANGELOG.md                        |   1 +
 engine/apps/api/serializers/user.py |  31 +++++---
 engine/apps/api/tests/test_user.py  |  37 +++++++++-
 engine/apps/api/views/user.py       | 108 +++++++++++++++++-----------
 4 files changed, 127 insertions(+), 50 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3329f979..12da05ae 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - Improved logging during plugin sync and install with Grafana @mderynck ([#3730](https://github.com/grafana/oncall/pull/3730))
+- Added `is_currently_oncall` information to internal user details API ([#3765](https://github.com/grafana/oncall/pull/3765))
 - Add a modal for autoresolve and grouping templates for Alertmanager-based integrations ([#3764](https://github.com/grafana/oncall/pull/3764))
 
 ### Fixed
diff --git a/engine/apps/api/serializers/user.py b/engine/apps/api/serializers/user.py
index c399fe26..9babaa5b 100644
--- a/engine/apps/api/serializers/user.py
+++ b/engine/apps/api/serializers/user.py
@@ -51,7 +51,7 @@ class WorkingHoursSerializer(serializers.Serializer):
     sunday = serializers.ListField(child=WorkingHoursPeriodSerializer())
 
 
-class UserSerializer(DynamicFieldsModelSerializer, EagerLoadingMixin):
+class ListUserSerializer(DynamicFieldsModelSerializer, EagerLoadingMixin):
     pk = serializers.CharField(read_only=True, source="public_primary_key")
     slack_user_identity = SlackUserIdentitySerializer(read_only=True)
 
@@ -165,6 +165,24 @@ class UserSerializer(DynamicFieldsModelSerializer, EagerLoadingMixin):
         return f"{HIDE_SYMBOL * (len(number) - SHOW_LAST_SYMBOLS)}{number[-SHOW_LAST_SYMBOLS:]}"
 
 
+class UserSerializer(ListUserSerializer):
+    context: UserSerializerContext
+
+    is_currently_oncall = serializers.SerializerMethodField()
+
+    class Meta(ListUserSerializer.Meta):
+        fields = ListUserSerializer.Meta.fields + [
+            "is_currently_oncall",
+        ]
+        read_only_fields = ListUserSerializer.Meta.read_only_fields + [
+            "is_currently_oncall",
+        ]
+
+    def get_is_currently_oncall(self, obj: User) -> bool:
+        # Serializer context is set here: apps.api.views.user.UserView.get_serializer_context.
+        return any(obj in users for users in self.context.get("schedules_with_oncall_users", {}).values())
+
+
 class CurrentUserSerializer(UserSerializer):
     rbac_permissions = UserPermissionSerializer(read_only=True, many=True, source="permissions")
 
@@ -176,7 +194,7 @@ class CurrentUserSerializer(UserSerializer):
         read_only_fields = UserSerializer.Meta.read_only_fields
 
 
-class UserHiddenFieldsSerializer(UserSerializer):
+class UserHiddenFieldsSerializer(ListUserSerializer):
     fields_available_for_all_users = [
         "pk",
         "organization",
@@ -198,7 +216,7 @@ class UserHiddenFieldsSerializer(UserSerializer):
         return ret
 
 
-class ScheduleUserSerializer(UserSerializer):
+class ScheduleUserSerializer(ListUserSerializer):
     fields_to_keep = [
         "pk",
         "organization",
@@ -214,7 +232,7 @@ class ScheduleUserSerializer(UserSerializer):
     ]
 
     def to_representation(self, instance):
-        serialized = super(UserSerializer, self).to_representation(instance)
+        serialized = super(ListUserSerializer, self).to_representation(instance)
         ret = {field: value for field, value in serialized.items() if field in self.fields_to_keep}
         return ret
 
@@ -288,10 +306,7 @@ class UserIsCurrentlyOnCallSerializer(UserShortSerializer, EagerLoadingMixin):
 
     def get_is_currently_oncall(self, obj: User) -> bool:
         # Serializer context is set here: apps.api.views.user.UserView.get_serializer_context.
-        for users in self.context.get("schedules_with_oncall_users", {}).values():
-            if obj in users:
-                return True
-        return False
+        return any(obj in users for users in self.context.get("schedules_with_oncall_users", {}).values())
 
 
 class PagedUserSerializer(serializers.Serializer):
diff --git a/engine/apps/api/tests/test_user.py b/engine/apps/api/tests/test_user.py
index 0d853861..6a8eaf29 100644
--- a/engine/apps/api/tests/test_user.py
+++ b/engine/apps/api/tests/test_user.py
@@ -24,7 +24,12 @@ def clear_cache():
 
 
 @pytest.mark.django_db
-def test_current_user(make_organization_and_user_with_plugin_token, make_user_auth_headers):
+def test_current_user(
+    make_organization_and_user_with_plugin_token,
+    make_user_auth_headers,
+    make_schedule,
+    make_on_call_shift,
+):
     organization, user, token = make_organization_and_user_with_plugin_token()
 
     client = APIClient()
@@ -42,6 +47,7 @@ def test_current_user(make_organization_and_user_with_plugin_token, make_user_au
         "rbac_permissions": user.permissions,
         "timezone": None,
         "working_hours": default_working_hours(),
+        "is_currently_oncall": False,
         "unverified_phone_number": None,
         "verified_phone_number": None,
         "telegram_configuration": None,
@@ -61,6 +67,28 @@ def test_current_user(make_organization_and_user_with_plugin_token, make_user_au
     assert response.status_code == status.HTTP_200_OK
     assert response.json() == expected_response
 
+    # current user is on-call
+    today = timezone.now().replace(hour=0, minute=0, second=0, microsecond=0)
+    schedule = make_schedule(organization, schedule_class=OnCallScheduleWeb)
+    on_call_shift = make_on_call_shift(
+        organization=organization,
+        shift_type=CustomOnCallShift.TYPE_ROLLING_USERS_EVENT,
+        start=today,
+        rotation_start=today,
+        duration=timezone.timedelta(seconds=24 * 60 * 60),
+        priority_level=1,
+        frequency=CustomOnCallShift.FREQUENCY_DAILY,
+        schedule=schedule,
+    )
+    on_call_shift.add_rolling_users([[user]])
+    schedule.refresh_ical_file()
+    schedule.refresh_ical_final_schedule()
+
+    response = client.get(url, format="json", **make_user_auth_headers(user, token))
+    assert response.status_code == status.HTTP_200_OK
+    expected_response["is_currently_oncall"] = True
+    assert response.json() == expected_response
+
     data_to_update = {"hide_phone_number": True}
 
     response = client.put(url, data=data_to_update, format="json", **make_user_auth_headers(user, token))
@@ -127,6 +155,7 @@ def test_update_user_cant_change_email_and_username(
         "role": admin.role,
         "timezone": None,
         "working_hours": default_working_hours(),
+        "is_currently_oncall": False,
         "unverified_phone_number": phone_number,
         "verified_phone_number": None,
         "telegram_configuration": None,
@@ -2017,6 +2046,12 @@ def test_users_is_currently_oncall_attribute_works_properly(
         assert user["teams"] == []
         assert user["is_currently_oncall"] == oncall_statuses[user["pk"]]
 
+    # getting specific user details include currently on-call info
+    url = reverse("api-internal:user-detail", kwargs={"pk": user1.public_primary_key})
+    response = client.get(url, format="json", **make_user_auth_headers(user1, token))
+
+    assert response.json()["is_currently_oncall"]
+
 
 @pytest.mark.django_db
 def test_list_users_filtered_by_is_currently_oncall(
diff --git a/engine/apps/api/views/user.py b/engine/apps/api/views/user.py
index fe8e9cb6..ee26f73d 100644
--- a/engine/apps/api/views/user.py
+++ b/engine/apps/api/views/user.py
@@ -31,6 +31,7 @@ from apps.api.serializers.team import TeamSerializer
 from apps.api.serializers.user import (
     CurrentUserSerializer,
     FilterUserSerializer,
+    ListUserSerializer,
     UserHiddenFieldsSerializer,
     UserIsCurrentlyOnCallSerializer,
     UserSerializer,
@@ -101,12 +102,40 @@ class UpcomingShift(typing.TypedDict):
 UpcomingShifts = list[UpcomingShift]
 
 
-class CurrentUserView(APIView):
+class CachedSchedulesContextMixin:
+    @cached_property
+    def schedules_with_oncall_users(self):
+        """
+        The result of this method is cached and is reused for the whole lifetime of a request,
+        since self.get_serializer_context() is called multiple times for every instance in the queryset.
+        """
+        return get_cached_oncall_users_for_multiple_schedules(self.request.user.organization.oncall_schedules.all())
+
+    def _populate_schedules_oncall_cache(self):
+        return False
+
+    def get_serializer_context(self):
+        context = getattr(super(), "get_serializer_context", lambda: {})()
+        context.update(
+            {
+                "schedules_with_oncall_users": self.schedules_with_oncall_users
+                if self._populate_schedules_oncall_cache()
+                else {}
+            }
+        )
+        return context
+
+
+class CurrentUserView(APIView, CachedSchedulesContextMixin):
     authentication_classes = (MobileAppAuthTokenAuthentication, PluginAuthentication)
     permission_classes = (IsAuthenticated,)
 
+    def _populate_schedules_oncall_cache(self):
+        return True
+
     def get(self, request):
-        context = {"request": self.request, "format": self.format_kwarg, "view": self}
+        context = self.get_serializer_context()
+        context.update({"request": self.request, "format": self.format_kwarg, "view": self})
 
         if settings.IS_OPEN_SOURCE and live_settings.GRAFANA_CLOUD_NOTIFICATIONS_ENABLED:
             from apps.oss_installation.models import CloudConnector, CloudUserIdentity
@@ -122,8 +151,10 @@ class CurrentUserView(APIView):
         return Response(serializer.data)
 
     def put(self, request):
+        context = self.get_serializer_context()
+        context.update({"request": self.request})
         data = self.request.data
-        serializer = CurrentUserSerializer(request.user, data=data, context={"request": self.request})
+        serializer = CurrentUserSerializer(request.user, data=data, context=context)
         serializer.is_valid(raise_exception=True)
         serializer.save()
         return Response(serializer.data)
@@ -158,6 +189,7 @@ class UserFilter(ByTeamModelFieldFilterMixin, filters.FilterSet):
 
 class UserView(
     PublicPrimaryKeyMixin,
+    CachedSchedulesContextMixin,
     mixins.RetrieveModelMixin,
     mixins.UpdateModelMixin,
     mixins.ListModelMixin,
@@ -247,51 +279,49 @@ class UserView(
 
     filterset_class = UserFilter
 
-    @cached_property
-    def schedules_with_oncall_users(self):
-        """
-        The result of this method is cached and is reused for the whole lifetime of a request,
-        since self.get_serializer_context() is called multiple times for every instance in the queryset.
-        """
-        return get_cached_oncall_users_for_multiple_schedules(self.request.user.organization.oncall_schedules.all())
-
     def _get_is_currently_oncall_query_param(self) -> str:
         return self.request.query_params.get("is_currently_oncall", "").lower()
 
-    def _is_currently_oncall_request(self) -> bool:
-        return self._get_is_currently_oncall_query_param() in ["true", "false", "all"]
-
-    def get_serializer_context(self):
-        context = super().get_serializer_context()
-        context.update(
-            {
-                "schedules_with_oncall_users": self.schedules_with_oncall_users
-                if self._is_currently_oncall_request()
-                else {}
-            }
+    def _populate_schedules_oncall_cache(self):
+        return (
+            # admin or owner can see on-call schedule information for a user
+            (self.is_owner_or_admin() and self.action != "list")
+            or
+            # list requests need to explicitly request on-call information
+            self._get_is_currently_oncall_query_param() in ["true", "false", "all"]
         )
-        return context
 
-    def get_serializer_class(self):
+    def is_owner_or_admin(self):
         request = self.request
         user = request.user
         kwargs = self.kwargs
-        query_params = request.query_params
-
-        is_list_request = self.action in ["list"]
-        is_filters_request = query_params.get("filters", "false") == "true"
-
-        if is_list_request and is_filters_request:
-            return FilterUserSerializer
-        elif is_list_request and self._is_currently_oncall_request():
-            return UserIsCurrentlyOnCallSerializer
 
         is_users_own_data = kwargs.get("pk") is not None and kwargs.get("pk") == user.public_primary_key
         has_admin_permission = user_is_authorized(user, [RBACPermission.Permissions.USER_SETTINGS_ADMIN])
 
-        if is_users_own_data or has_admin_permission:
-            return UserSerializer
-        return UserHiddenFieldsSerializer
+        return is_users_own_data or has_admin_permission
+
+    def get_serializer_class(self):
+        request = self.request
+        query_params = request.query_params
+
+        is_list_request = self.action == "list"
+        is_filters_request = query_params.get("filters", "false") == "true"
+
+        if is_list_request:
+            serializer = ListUserSerializer
+            if is_filters_request:
+                serializer = FilterUserSerializer
+            elif self._populate_schedules_oncall_cache():
+                serializer = UserIsCurrentlyOnCallSerializer
+            return serializer
+
+        # non-list requests
+        serializer = UserHiddenFieldsSerializer
+        if self.is_owner_or_admin():
+            serializer = UserSerializer
+
+        return serializer
 
     def get_queryset(self):
         slack_identity = self.request.query_params.get("slack_identity", None) == "true"
@@ -308,7 +338,7 @@ class UserView(
     @extend_schema(
         responses=PolymorphicProxySerializer(
             component_name="UserPolymorphic",
-            serializers=[FilterUserSerializer, UserIsCurrentlyOnCallSerializer, UserSerializer],
+            serializers=[FilterUserSerializer, UserIsCurrentlyOnCallSerializer, ListUserSerializer],
             resource_type_field_name=None,
         )
     )
@@ -401,10 +431,6 @@ class UserView(
             status=status.HTTP_403_FORBIDDEN,
         )
 
-    def current(self, request) -> Response:
-        serializer = UserSerializer(self.get_queryset().get(pk=self.request.user.pk))
-        return Response(serializer.data)
-
     @extend_schema(responses={status.HTTP_200_OK: resolve_type_hint(typing.List[str])})
     @action(detail=False, methods=["get"])
     def timezone_options(self, request) -> Response:

From c58a81bbdf4682c25a18d1788be6db0f8bb31906 Mon Sep 17 00:00:00 2001
From: Innokentii Konstantinov <innokenty.konstantinov@grafana.com>
Date: Tue, 30 Jan 2024 15:29:16 +0800
Subject: [PATCH 16/22] Enable labels feature only if labels plugin is enabled
 (#3769)

# What this PR does
Adds a check to enable labels feature only if plugin provisioned. It's
needed to be protected from reconciliation delays and etc.

## Checklist

- [x] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)
---
 engine/apps/grafana_plugin/helpers/client.py  |   4 +
 engine/apps/labels/tests/test_labels.py       |  21 +++
 engine/apps/labels/utils.py                   |   6 +-
 ..._organization_is_grafana_labels_enabled.py |  18 +++
 .../user_management/models/organization.py    |   1 +
 engine/apps/user_management/sync.py           |  31 ++++-
 .../apps/user_management/tests/test_sync.py   | 124 +++++++++++++++---
 engine/conftest.py                            |  14 +-
 8 files changed, 189 insertions(+), 30 deletions(-)
 create mode 100644 engine/apps/user_management/migrations/0020_organization_is_grafana_labels_enabled.py

diff --git a/engine/apps/grafana_plugin/helpers/client.py b/engine/apps/grafana_plugin/helpers/client.py
index 142a28ed..ea7488b4 100644
--- a/engine/apps/grafana_plugin/helpers/client.py
+++ b/engine/apps/grafana_plugin/helpers/client.py
@@ -162,6 +162,7 @@ class APIClient:
 class GrafanaAPIClient(APIClient):
     GRAFANA_INCIDENT_PLUGIN = "grafana-incident-app"
     GRAFANA_INCIDENT_PLUGIN_BACKEND_URL_KEY = "backendUrl"
+    GRAFANA_LABELS_PLUGIN = "grafana-labels-app"
 
     USER_PERMISSION_ENDPOINT = f"api/access-control/users/permissions/search?actionPrefix={ACTION_PREFIX}"
 
@@ -302,6 +303,9 @@ class GrafanaAPIClient(APIClient):
     def get_grafana_incident_plugin_settings(self) -> APIClientResponse["GrafanaAPIClient.Types.PluginSettings"]:
         return self.get_grafana_plugin_settings(self.GRAFANA_INCIDENT_PLUGIN)
 
+    def get_grafana_labels_plugin_settings(self) -> APIClientResponse["GrafanaAPIClient.Types.PluginSettings"]:
+        return self.get_grafana_plugin_settings(self.GRAFANA_LABELS_PLUGIN)
+
     def get_service_account(self, login: str) -> APIClientResponse["GrafanaAPIClient.Types.ServiceAccountResponse"]:
         return self.api_get(f"api/serviceaccounts/search?query={login}")
 
diff --git a/engine/apps/labels/tests/test_labels.py b/engine/apps/labels/tests/test_labels.py
index 541beca4..bb1d5502 100644
--- a/engine/apps/labels/tests/test_labels.py
+++ b/engine/apps/labels/tests/test_labels.py
@@ -28,6 +28,27 @@ def test_labels_feature_flag(mock_is_labels_feature_enabled_for_org, make_organi
     mock_is_labels_feature_enabled_for_org(12345)
     # returns False if feature flag is disabled and organization is not in the feature list
     assert organization.org_id not in settings.FEATURE_LABELS_ENABLED_PER_ORG
+
+    assert not is_labels_feature_enabled(organization)
+
+
+@pytest.mark.django_db
+def test_labels_feature_flag_when_plugin_is_disabled(
+    mock_is_labels_feature_enabled_for_org, make_organization, settings
+):
+    organization = make_organization()
+    organization.is_grafana_labels_enabled = False
+    # returns False if feature flag is enabled, but plugin is disabled
+    assert settings.FEATURE_LABELS_ENABLED_FOR_ALL
+    assert organization.id not in settings.FEATURE_LABELS_ENABLED_PER_ORG
+    assert is_labels_feature_enabled(organization) is False
+
+    mock_is_labels_feature_enabled_for_org(organization.id)
+    # returns False if feature flag is disabled, organization is in the feature list, , but plugin is disabled
+    assert not settings.FEATURE_LABELS_ENABLED_FOR_ALL
+    assert organization.id in settings.FEATURE_LABELS_ENABLED_PER_ORG
+    assert is_labels_feature_enabled(organization) is False
+
     assert not is_labels_feature_enabled(organization)
 
 
diff --git a/engine/apps/labels/utils.py b/engine/apps/labels/utils.py
index d5aeee32..d4376d60 100644
--- a/engine/apps/labels/utils.py
+++ b/engine/apps/labels/utils.py
@@ -51,7 +51,11 @@ def get_associating_label_model(obj_model_name: str) -> typing.Type["AssociatedL
 
 
 def is_labels_feature_enabled(organization: "Organization") -> bool:
-    return settings.FEATURE_LABELS_ENABLED_FOR_ALL or organization.id in settings.FEATURE_LABELS_ENABLED_PER_ORG
+    """
+    is_labels_feature_enabled checks if env with labels feature is enabled and plugin is provisioned.
+    """
+    env_enabled = settings.FEATURE_LABELS_ENABLED_FOR_ALL or organization.id in settings.FEATURE_LABELS_ENABLED_PER_ORG
+    return organization.is_grafana_labels_enabled and env_enabled
 
 
 def get_labels_dict(labelable) -> dict[str, str]:
diff --git a/engine/apps/user_management/migrations/0020_organization_is_grafana_labels_enabled.py b/engine/apps/user_management/migrations/0020_organization_is_grafana_labels_enabled.py
new file mode 100644
index 00000000..027a9aef
--- /dev/null
+++ b/engine/apps/user_management/migrations/0020_organization_is_grafana_labels_enabled.py
@@ -0,0 +1,18 @@
+# Generated by Django 4.2.7 on 2024-01-30 07:17
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('user_management', '0019_organization_grafana_incident_backend_url'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='organization',
+            name='is_grafana_labels_enabled',
+            field=models.BooleanField(default=False, null=True),
+        ),
+    ]
diff --git a/engine/apps/user_management/models/organization.py b/engine/apps/user_management/models/organization.py
index 18b72758..139fc358 100644
--- a/engine/apps/user_management/models/organization.py
+++ b/engine/apps/user_management/models/organization.py
@@ -252,6 +252,7 @@ class Organization(MaintainableObject):
 
     is_rbac_permissions_enabled = models.BooleanField(default=False)
     is_grafana_incident_enabled = models.BooleanField(default=False)
+    is_grafana_labels_enabled = models.BooleanField(default=False, null=True)
 
     alert_group_table_columns: list[AlertGroupTableColumn] | None = JSONField(default=None, null=True)
     grafana_incident_backend_url = models.CharField(max_length=300, null=True, default=None)
diff --git a/engine/apps/user_management/sync.py b/engine/apps/user_management/sync.py
index a06a7fc5..fd8256e1 100644
--- a/engine/apps/user_management/sync.py
+++ b/engine/apps/user_management/sync.py
@@ -52,12 +52,8 @@ def _sync_organization(organization: Organization) -> None:
         sync_users_and_teams(grafana_api_client, organization)
         organization.last_time_synced = timezone.now()
 
-        grafana_incident_settings, _ = grafana_api_client.get_grafana_incident_plugin_settings()
-        if grafana_incident_settings is not None:
-            organization.is_grafana_incident_enabled = grafana_incident_settings["enabled"]
-            organization.grafana_incident_backend_url = grafana_incident_settings.get("jsonData", {}).get(
-                GrafanaAPIClient.GRAFANA_INCIDENT_PLUGIN_BACKEND_URL_KEY
-            )
+        _sync_grafana_incident_plugin(organization, grafana_api_client)
+        _sync_grafana_labels_plugin(organization, grafana_api_client)
     else:
         organization.api_token_status = Organization.API_TOKEN_STATUS_FAILED
         logger.warning(f"Sync not successful org={organization.pk} token_status=FAILED")
@@ -99,6 +95,29 @@ def _sync_instance_info(organization: Organization) -> None:
         organization.gcom_token_org_last_time_synced = timezone.now()
 
 
+def _sync_grafana_labels_plugin(organization: Organization, grafana_api_client) -> None:
+    """
+    _sync_grafana_labels_plugin checks if grafana-labels-app plugin is enabled and sets a flag in the organization.
+    It intended to use only inside _sync_organization. It mutates, but not saves org, it's saved in _sync_organization.
+    """
+    grafana_labels_plugin_settings, _ = grafana_api_client.get_grafana_labels_plugin_settings()
+    if grafana_labels_plugin_settings is not None:
+        organization.is_grafana_labels_enabled = grafana_labels_plugin_settings["enabled"]
+
+
+def _sync_grafana_incident_plugin(organization: Organization, grafana_api_client) -> None:
+    """
+    _sync_grafana_incident_plugin check if incident plugin is enabled and sets a flag and its url in the organization.
+    It intended to use only inside _sync_organization. It mutates, but not saves org, it's saved in _sync_organization.
+    """
+    grafana_incident_settings, _ = grafana_api_client.get_grafana_incident_plugin_settings()
+    if grafana_incident_settings is not None:
+        organization.is_grafana_incident_enabled = grafana_incident_settings["enabled"]
+        organization.grafana_incident_backend_url = grafana_incident_settings.get("jsonData", {}).get(
+            GrafanaAPIClient.GRAFANA_INCIDENT_PLUGIN_BACKEND_URL_KEY
+        )
+
+
 def sync_users_and_teams(client: GrafanaAPIClient, organization: Organization) -> None:
     sync_users(client, organization)
     sync_teams(client, organization)
diff --git a/engine/apps/user_management/tests/test_sync.py b/engine/apps/user_management/tests/test_sync.py
index 6c0a6d92..158f1378 100644
--- a/engine/apps/user_management/tests/test_sync.py
+++ b/engine/apps/user_management/tests/test_sync.py
@@ -1,3 +1,5 @@
+from dataclasses import dataclass
+from typing import Optional
 from unittest.mock import patch
 
 import pytest
@@ -8,7 +10,12 @@ from apps.alerts.models import AlertReceiveChannel
 from apps.api.permissions import LegacyAccessControlRole
 from apps.grafana_plugin.helpers.client import GcomAPIClient, GrafanaAPIClient
 from apps.user_management.models import Team, User
-from apps.user_management.sync import cleanup_organization, sync_organization
+from apps.user_management.sync import (
+    _sync_grafana_incident_plugin,
+    _sync_grafana_labels_plugin,
+    cleanup_organization,
+    sync_organization,
+)
 
 MOCK_GRAFANA_INCIDENT_BACKEND_URL = "https://grafana-incident.test"
 
@@ -177,14 +184,6 @@ def test_sync_users_for_team(make_organization, make_user_for_organization, make
 
 
 @pytest.mark.django_db
-@pytest.mark.parametrize(
-    "get_grafana_incident_plugin_settings_return_value",
-    [
-        ({"enabled": True, "jsonData": {"backendUrl": MOCK_GRAFANA_INCIDENT_BACKEND_URL}}, None),
-        # missing jsonData (sometimes this is what we get back from the Grafana API)
-        ({"enabled": True}, None),
-    ],
-)
 @patch.object(GrafanaAPIClient, "is_rbac_enabled_for_organization", return_value=False)
 @patch.object(
     GrafanaAPIClient,
@@ -221,18 +220,28 @@ def test_sync_users_for_team(make_organization, make_user_for_organization, make
 )
 @patch.object(GrafanaAPIClient, "check_token", return_value=(None, {"connected": True}))
 @patch.object(GrafanaAPIClient, "get_grafana_incident_plugin_settings")
+@patch.object(GrafanaAPIClient, "get_grafana_labels_plugin_settings")
 @patch("apps.user_management.sync.org_sync_signal")
 def test_sync_organization(
     mocked_org_sync_signal,
+    mock_get_grafana_labels_plugin_settings,
     mock_get_grafana_incident_plugin_settings,
     _mock_check_token,
     _mock_get_teams,
     _mock_get_users,
     _mock_is_rbac_enabled_for_organization,
-    get_grafana_incident_plugin_settings_return_value,
     make_organization,
 ):
-    mock_get_grafana_incident_plugin_settings.return_value = get_grafana_incident_plugin_settings_return_value
+    # Set optimistic responses from grafana api.
+    # All cases are tested properly in test_sync_grafana_incident_plugin/test_sync_grafana_labels_plugin
+    mock_get_grafana_incident_plugin_settings.return_value = (
+        {
+            "enabled": True,
+            "jsonData": {"backendUrl": MOCK_GRAFANA_INCIDENT_BACKEND_URL},
+        },
+        None,
+    )
+    mock_get_grafana_labels_plugin_settings.return_value = ({"enabled": True, "jsonData": {}}, None)
 
     organization = make_organization()
 
@@ -266,10 +275,10 @@ def test_sync_organization(
 
     # check that is_grafana_incident_enabled flag is set
     assert organization.is_grafana_incident_enabled is True
-    if get_grafana_incident_plugin_settings_return_value[0].get("jsonData"):
-        assert organization.grafana_incident_backend_url == MOCK_GRAFANA_INCIDENT_BACKEND_URL
-    else:
-        assert organization.grafana_incident_backend_url is None
+    assert organization.grafana_incident_backend_url == MOCK_GRAFANA_INCIDENT_BACKEND_URL
+
+    # check that is_grafana_labels_enabled flag is set
+    assert organization.is_grafana_labels_enabled is True
 
     mocked_org_sync_signal.send.assert_called_once_with(sender=None, organization=organization)
 
@@ -328,7 +337,15 @@ def test_sync_organization_is_rbac_permissions_enabled_open_source(make_organiza
                                 None,
                             ),
                         ):
-                            sync_organization(organization)
+                            with patch.object(
+                                GrafanaAPIClient,
+                                "get_grafana_labels_plugin_settings",
+                                return_value=(
+                                    {"enabled": True, "jsonData": {}},
+                                    None,
+                                ),
+                            ):
+                                sync_organization(organization)
 
     organization.refresh_from_db()
     assert organization.is_rbac_permissions_enabled == grafana_api_response
@@ -396,7 +413,15 @@ def test_sync_organization_is_rbac_permissions_enabled_cloud(
                                 None,
                             ),
                         ):
-                            sync_organization(organization)
+                            with patch.object(
+                                GrafanaAPIClient,
+                                "get_grafana_labels_plugin_settings",
+                                return_value=(
+                                    {"enabled": True, "jsonData": {}},
+                                    None,
+                                ),
+                            ):
+                                sync_organization(organization)
 
     organization.refresh_from_db()
 
@@ -467,3 +492,68 @@ def test_sync_organization_lock(make_organization):
 
     mock_task_lock.assert_called_once_with(f"sync-organization-lock-{organization.id}", random_uuid)
     assert not mock_client.called
+
+
+@dataclass
+class TestSyncGrafanaLabelsPluginParams:
+    response: tuple
+    expected_result: bool
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize(
+    "test_params",
+    [
+        TestSyncGrafanaLabelsPluginParams(({"enabled": True, "jsonData": {}}, None), True),
+        TestSyncGrafanaLabelsPluginParams(({"enabled": True}, None), True),
+        TestSyncGrafanaLabelsPluginParams(({"enabled": False}, None), False),
+    ],
+)
+@pytest.mark.django_db
+def test_sync_grafana_labels_plugin(make_organization, test_params: TestSyncGrafanaLabelsPluginParams):
+    organization = make_organization()
+    organization.is_grafana_labels_enabled = False  # by default in tests it's true, so setting to false
+
+    with patch.object(
+        GrafanaAPIClient,
+        "get_grafana_labels_plugin_settings",
+        return_value=test_params.response,
+    ):
+        grafana_api_client = GrafanaAPIClient(api_url=organization.grafana_url, api_token=organization.api_token)
+        _sync_grafana_labels_plugin(organization, grafana_api_client)
+    assert organization.is_grafana_labels_enabled is test_params.expected_result
+
+
+@dataclass
+class TestSyncGrafanaIncidentParams:
+    response: tuple
+    expected_flag: bool
+    expected_url: Optional[str]
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize(
+    "test_params",
+    [
+        TestSyncGrafanaIncidentParams(
+            ({"enabled": True, "jsonData": {"backendUrl": MOCK_GRAFANA_INCIDENT_BACKEND_URL}}, None),
+            True,
+            MOCK_GRAFANA_INCIDENT_BACKEND_URL,
+        ),
+        TestSyncGrafanaIncidentParams(({"enabled": True}, None), True, None),
+        # missing jsonData (sometimes this is what we get back from the Grafana API)
+        TestSyncGrafanaIncidentParams(({"enabled": False}, None), False, None),  # plugin is disabled for some reason
+    ],
+)
+@pytest.mark.django_db
+def test_sync_grafana_incident_plugin(make_organization, test_params: TestSyncGrafanaIncidentParams):
+    organization = make_organization()
+    with patch.object(
+        GrafanaAPIClient,
+        "get_grafana_incident_plugin_settings",
+        return_value=test_params.response,
+    ):
+        grafana_api_client = GrafanaAPIClient(api_url=organization.grafana_url, api_token=organization.api_token)
+        _sync_grafana_incident_plugin(organization, grafana_api_client)
+    assert organization.is_grafana_incident_enabled is test_params.expected_flag
+    assert organization.grafana_incident_backend_url is test_params.expected_url
diff --git a/engine/conftest.py b/engine/conftest.py
index 74569268..0d328429 100644
--- a/engine/conftest.py
+++ b/engine/conftest.py
@@ -185,17 +185,17 @@ def mock_apply_async(monkeypatch):
     monkeypatch.setattr(Task, "apply_async", mock_apply_async)
 
 
-@pytest.fixture(autouse=True)
-def mock_is_labels_feature_enabled(settings):
-    settings.FEATURE_LABELS_ENABLED_FOR_ALL = True
-
-
 @pytest.fixture(autouse=True)
 def clear_ical_users_cache():
     # clear users pks <-> organization cache (persisting between tests)
     memoized_users_in_ical.cache_clear()
 
 
+@pytest.fixture(autouse=True)
+def mock_is_labels_feature_enabled(settings):
+    settings.FEATURE_LABELS_ENABLED_FOR_ALL = True
+
+
 @pytest.fixture
 def mock_is_labels_feature_enabled_for_org(settings):
     def _mock_is_labels_feature_enabled_for_org(org_id):
@@ -208,7 +208,9 @@ def mock_is_labels_feature_enabled_for_org(settings):
 @pytest.fixture
 def make_organization():
     def _make_organization(**kwargs):
-        return OrganizationFactory(**kwargs, is_rbac_permissions_enabled=IS_RBAC_ENABLED)
+        return OrganizationFactory(
+            **kwargs, is_rbac_permissions_enabled=IS_RBAC_ENABLED, is_grafana_labels_enabled=True
+        )
 
     return _make_organization
 

From 401d279d544c2f7100dbf22d1dc8e865c2b189ac Mon Sep 17 00:00:00 2001
From: Ildar Iskhakov <Ildar.iskhakov@grafana.com>
Date: Tue, 30 Jan 2024 16:39:04 +0800
Subject: [PATCH 17/22] Refactor create_alert task (#3759)

# What this PR does

This PR simplifies alert group/alert creation, so the alert created and
escalation started in the same task.

## Which issue(s) this PR fixes

## Checklist

- [ ] Unit, integration, and e2e (if applicable) tests updated
- [ ] Documentation added (or `pr:no public docs` PR label added if not
required)
- [ ] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)
---
 CHANGELOG.md                                 |  1 +
 engine/apps/alerts/models/alert.py           | 54 +++++++++++---------
 engine/apps/alerts/tasks/distribute_alert.py |  2 +
 engine/apps/alerts/tests/test_alert.py       |  7 ++-
 engine/apps/integrations/tasks.py            |  6 +--
 5 files changed, 40 insertions(+), 30 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 12da05ae..9aee536c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add check whether organization has Slack connection on update Slack related field using public api endpoints
   by @Ferril ([#3751](https://github.com/grafana/oncall/pull/3751))
 - Fixed calculating the number of on-call users per team by @Ferril ([#3773](https://github.com/grafana/oncall/pull/3773))
+- Refactor create_alert task by @iskhakov ([#3604](https://github.com/grafana/oncall/pull/3759))
 
 ## v1.3.92 (2024-01-23)
 
diff --git a/engine/apps/alerts/models/alert.py b/engine/apps/alerts/models/alert.py
index a3b5573e..6d084a9c 100644
--- a/engine/apps/alerts/models/alert.py
+++ b/engine/apps/alerts/models/alert.py
@@ -12,6 +12,8 @@ from django.db.models import JSONField
 from apps.alerts import tasks
 from apps.alerts.constants import TASK_DELAY_SECONDS
 from apps.alerts.incident_appearance.templaters import TemplateLoader
+from apps.alerts.signals import alert_group_escalation_snapshot_built
+from apps.alerts.tasks.distribute_alert import send_alert_create_signal
 from apps.labels.alert_group_labels import assign_labels
 from common.jinja_templater import apply_jinja_template
 from common.jinja_templater.apply_jinja_template import JinjaTemplateError, JinjaTemplateWarning
@@ -102,28 +104,16 @@ class Alert(models.Model):
         if channel_filter is None:
             channel_filter = ChannelFilter.select_filter(alert_receive_channel, raw_request_data, force_route_id)
 
+        # Get or create group
         group, group_created = AlertGroup.objects.get_or_create_grouping(
             channel=alert_receive_channel,
             channel_filter=channel_filter,
             group_data=group_data,
             received_at=received_at,
         )
+        logger.debug(f"alert group {group.pk} created={group_created}")
 
-        if group_created:
-            assign_labels(group, alert_receive_channel, raw_request_data)
-            group.log_records.create(type=AlertGroupLogRecord.TYPE_REGISTERED)
-            group.log_records.create(type=AlertGroupLogRecord.TYPE_ROUTE_ASSIGNED)
-
-        mark_as_resolved = (
-            enable_autoresolve and group_data.is_resolve_signal and alert_receive_channel.allow_source_based_resolving
-        )
-        if not group.resolved and mark_as_resolved:
-            group.resolve_by_source()
-
-        mark_as_acknowledged = group_data.is_acknowledge_signal
-        if not group.acknowledged and mark_as_acknowledged:
-            group.acknowledge_by_source()
-
+        # Create alert
         alert = cls(
             is_resolve_signal=group_data.is_resolve_signal,
             title=title,
@@ -135,21 +125,39 @@ class Alert(models.Model):
             raw_request_data=raw_request_data,
             is_the_first_alert_in_group=group_created,
         )
-
         alert.save()
+        logger.debug(f"alert {alert.pk} created")
+
+        transaction.on_commit(partial(send_alert_create_signal.apply_async, (alert.pk,)))
+
+        if group_created:
+            assign_labels(group, alert_receive_channel, raw_request_data)
+            group.log_records.create(type=AlertGroupLogRecord.TYPE_REGISTERED)
+            group.log_records.create(type=AlertGroupLogRecord.TYPE_ROUTE_ASSIGNED)
+
+        if group_created or alert.group.pause_escalation:
+            # Build escalation snapshot if needed and start escalation
+            alert.group.start_escalation_if_needed(countdown=TASK_DELAY_SECONDS)
+
+        if group_created:
+            # TODO: consider moving to start_escalation_if_needed
+            alert_group_escalation_snapshot_built.send(sender=cls.__class__, alert_group=alert.group)
+
+        mark_as_acknowledged = group_data.is_acknowledge_signal
+        if not group.acknowledged and mark_as_acknowledged:
+            group.acknowledge_by_source()
+
+        mark_as_resolved = (
+            enable_autoresolve and group_data.is_resolve_signal and alert_receive_channel.allow_source_based_resolving
+        )
+        if not group.resolved and mark_as_resolved:
+            group.resolve_by_source()
 
         # Store exact alert which resolved group.
         if group.resolved_by == AlertGroup.SOURCE and group.resolved_by_alert is None:
             group.resolved_by_alert = alert
             group.save(update_fields=["resolved_by_alert"])
 
-        if settings.DEBUG:
-            tasks.distribute_alert(alert.pk)
-        else:
-            transaction.on_commit(
-                partial(tasks.distribute_alert.apply_async, (alert.pk,), countdown=TASK_DELAY_SECONDS)
-            )
-
         if group_created:
             # all code below related to maintenance mode
             maintenance_uuid = None
diff --git a/engine/apps/alerts/tasks/distribute_alert.py b/engine/apps/alerts/tasks/distribute_alert.py
index f1d146a4..f69f80fe 100644
--- a/engine/apps/alerts/tasks/distribute_alert.py
+++ b/engine/apps/alerts/tasks/distribute_alert.py
@@ -13,6 +13,8 @@ from .task_logger import task_logger
 def distribute_alert(alert_id):
     """
     We need this task to make task processing async and to make sure the task is delivered.
+    This task is not used anymore, but we keep it for the tasks in the queue to be processed.
+    TODO: remove this task after all the tasks in the queue are processed.
     """
     from apps.alerts.models import Alert
 
diff --git a/engine/apps/alerts/tests/test_alert.py b/engine/apps/alerts/tests/test_alert.py
index cb2a2d68..d0fc7e24 100644
--- a/engine/apps/alerts/tests/test_alert.py
+++ b/engine/apps/alerts/tests/test_alert.py
@@ -8,9 +8,9 @@ from apps.alerts.tasks import distribute_alert, escalate_alert_group
 
 
 @pytest.mark.django_db
-@patch("apps.alerts.tasks.distribute_alert.distribute_alert.apply_async", return_value=None)
+@patch("apps.alerts.tasks.distribute_alert.send_alert_create_signal.apply_async", return_value=None)
 def test_alert_create_default_channel_filter(
-    mocked_distribute_alert_task,
+    mocked_send_alert_create_signal,
     make_organization,
     make_alert_receive_channel,
     make_channel_filter,
@@ -30,10 +30,9 @@ def test_alert_create_default_channel_filter(
             image_url=None,
             link_to_upstream_details=None,
         )
-
     assert alert.group.channel_filter == channel_filter
     assert len(callbacks) == 1
-    mocked_distribute_alert_task.assert_called_once_with((alert.pk,), countdown=1)
+    mocked_send_alert_create_signal.assert_called_once_with((alert.pk,))
 
 
 @pytest.mark.django_db
diff --git a/engine/apps/integrations/tasks.py b/engine/apps/integrations/tasks.py
index 4ce84c2e..94420d62 100644
--- a/engine/apps/integrations/tasks.py
+++ b/engine/apps/integrations/tasks.py
@@ -63,8 +63,8 @@ def create_alertmanager_alerts(alert_receive_channel_pk, alert, is_demo=False, f
             alert.group.active_resolve_calculation_id = task.id
             alert.group.save(update_fields=["active_resolve_calculation_id"])
 
-    logger.info(
-        f"Created alert alert_id={alert.pk} alert_group_id={alert.group.pk} channel_id={alert_receive_channel.pk}"
+    logger.debug(
+        f"Created alertmanager alert alert_id={alert.pk} alert_group_id={alert.group.pk} channel_id={alert_receive_channel.pk}"
     )
 
 
@@ -109,7 +109,7 @@ def create_alert(
             is_demo=is_demo,
             received_at=received_at,
         )
-        logger.info(
+        logger.debug(
             f"Created alert alert_id={alert.pk} alert_group_id={alert.group.pk} channel_id={alert_receive_channel.pk}"
         )
     except ConcurrentUpdateError:

From a6680e5ac1a8f4c0199ff5572be2eab446500adf Mon Sep 17 00:00:00 2001
From: Ildar Iskhakov <Ildar.iskhakov@grafana.com>
Date: Tue, 30 Jan 2024 18:33:22 +0800
Subject: [PATCH 18/22] Merge hotfix 1.3.94 (#3784)

# What this PR does

## Which issue(s) this PR fixes

## Checklist

- [ ] Unit, integration, and e2e (if applicable) tests updated
- [ ] Documentation added (or `pr:no public docs` PR label added if not
required)
- [ ] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)

---------

Co-authored-by: Joey Orlando <joey.orlando@grafana.com>
Co-authored-by: GitHub Actions <actions@github.com>
Co-authored-by: Joey Orlando <joseph.t.orlando@gmail.com>
Co-authored-by: Vadim Stepanov <vadimkerr@gmail.com>
---
 engine/common/oncall_gateway/utils.py | 8 ++++----
 helm/oncall/Chart.yaml                | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/engine/common/oncall_gateway/utils.py b/engine/common/oncall_gateway/utils.py
index 60258ad2..a11bab3f 100644
--- a/engine/common/oncall_gateway/utils.py
+++ b/engine/common/oncall_gateway/utils.py
@@ -54,7 +54,7 @@ def check_slack_installation_possible(oncall_org_id: str, slack_id: str, backend
 
 
 def create_slack_connector(oncall_org_id: str, slack_id: str, backend: str):
-    client = ChatopsProxyAPIClient(settings.ONCALL_GATEWAY_URL, settings.ONCALL_GATEWAY_API_TOKEN)
+    client = OnCallGatewayAPIClient(settings.ONCALL_GATEWAY_URL, settings.ONCALL_GATEWAY_API_TOKEN)
     try:
         client.post_slack_connector(oncall_org_id, slack_id, backend)
     except Exception as e:
@@ -175,11 +175,11 @@ def unregister_oncall_tenant_wrapper(service_tenant_id: str, cluster_slug: str):
         delete_oncall_connector(service_tenant_id)
 
 
-def can_link_slack_team_wrapper(service_tenant_id: str, slack_team_id, cluster_slug: str):
+def can_link_slack_team_wrapper(service_tenant_id: str, slack_team_id, cluster_slug: str) -> bool:
     if settings.CHATOPS_V3:
-        can_link_slack_team(service_tenant_id, slack_team_id, cluster_slug)
+        return can_link_slack_team(service_tenant_id, slack_team_id, cluster_slug)
     else:
-        check_slack_installation_possible(service_tenant_id, slack_team_id, cluster_slug)
+        return check_slack_installation_possible(service_tenant_id, slack_team_id, cluster_slug)
 
 
 def link_slack_team_wrapper(service_tenant_id: str, slack_team_id: str):
diff --git a/helm/oncall/Chart.yaml b/helm/oncall/Chart.yaml
index 4ce76359..c3b81883 100644
--- a/helm/oncall/Chart.yaml
+++ b/helm/oncall/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: oncall
 description: Developer-friendly incident response with brilliant Slack integration
 type: application
-version: 1.3.90
-appVersion: v1.3.90
+version: 1.3.92
+appVersion: v1.3.92
 dependencies:
   - name: cert-manager
     version: v1.8.0

From 94af60e34d9a9889e0314eb429ca8d85f05104de Mon Sep 17 00:00:00 2001
From: Ildar Iskhakov <Ildar.iskhakov@grafana.com>
Date: Tue, 30 Jan 2024 19:25:10 +0800
Subject: [PATCH 19/22] Update CHANGELOG.md (#3786)

# What this PR does

## Which issue(s) this PR fixes

## Checklist

- [ ] Unit, integration, and e2e (if applicable) tests updated
- [ ] Documentation added (or `pr:no public docs` PR label added if not
required)
- [ ] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)
---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9aee536c..312b4215 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## Unreleased
+## v1.3.94 (2024-01-30)
 
 ### Added
 

From 137797efb3632e411812808ed64e9f31743d406e Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Fri, 26 Jan 2024 17:17:13 +0000
Subject: [PATCH 20/22] Release oncall Helm chart 1.3.93

---
 helm/oncall/Chart.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/helm/oncall/Chart.yaml b/helm/oncall/Chart.yaml
index c3b81883..e5be2205 100644
--- a/helm/oncall/Chart.yaml
+++ b/helm/oncall/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: oncall
 description: Developer-friendly incident response with brilliant Slack integration
 type: application
-version: 1.3.92
-appVersion: v1.3.92
+version: 1.3.93
+appVersion: v1.3.93
 dependencies:
   - name: cert-manager
     version: v1.8.0

From 7cce1ced0599ffe07c2eeb717e33c5bb6388ec3a Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Fri, 26 Jan 2024 17:43:29 +0000
Subject: [PATCH 21/22] Release oncall Helm chart 1.3.94

---
 helm/oncall/Chart.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/helm/oncall/Chart.yaml b/helm/oncall/Chart.yaml
index e5be2205..88810f1c 100644
--- a/helm/oncall/Chart.yaml
+++ b/helm/oncall/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: oncall
 description: Developer-friendly incident response with brilliant Slack integration
 type: application
-version: 1.3.93
-appVersion: v1.3.93
+version: 1.3.94
+appVersion: v1.3.94
 dependencies:
   - name: cert-manager
     version: v1.8.0

From 023ac03df9b40f5aef78c87fbe447700bdf634a4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 30 Jan 2024 07:52:17 -0500
Subject: [PATCH 22/22] Bump aiohttp from 3.9.0 to 3.9.2 in
 /dev/scripts/generate-fake-data (#3780)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps [aiohttp](https://github.com/aio-libs/aiohttp) from 3.9.0 to
3.9.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/aio-libs/aiohttp/releases">aiohttp's
releases</a>.</em></p>
<blockquote>
<h2>3.9.2</h2>
<h2>Bug fixes</h2>
<ul>
<li>
<p>Fixed server-side websocket connection leak.</p>
<p><em>Related issues and pull requests on GitHub:</em>
<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7978">#7978</a>.</p>
</li>
<li>
<p>Fixed <code>web.FileResponse</code> doing blocking I/O in the event
loop.</p>
<p><em>Related issues and pull requests on GitHub:</em>
<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/8012">#8012</a>.</p>
</li>
<li>
<p>Fixed double compress when compression enabled and compressed file
exists in server file responses.</p>
<p><em>Related issues and pull requests on GitHub:</em>
<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/8014">#8014</a>.</p>
</li>
<li>
<p>Added runtime type check for <code>ClientSession</code>
<code>timeout</code> parameter.</p>
<p><em>Related issues and pull requests on GitHub:</em>
<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/8021">#8021</a>.</p>
</li>
<li>
<p>Fixed an unhandled exception in the Python HTTP parser on header
lines starting with a colon -- by :user:<code>pajod</code>.</p>
<p>Invalid request lines with anything but a dot between the HTTP major
and minor version are now rejected.
Invalid header field names containing question mark or slash are now
rejected.
Such requests are incompatible with :rfc:<code>9110#section-5.6.2</code>
and are not known to be of any legitimate use.</p>
<p><em>Related issues and pull requests on GitHub:</em>
<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/8074">#8074</a>.</p>
</li>
<li>
<p>Improved validation of paths for static resources requests to the
server -- by :user:<code>bdraco</code>.</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst">aiohttp's
changelog</a>.</em></p>
<blockquote>
<h1>3.9.2 (2024-01-28)</h1>
<h2>Bug fixes</h2>
<ul>
<li>
<p>Fixed server-side websocket connection leak.</p>
<p><em>Related issues and pull requests on GitHub:</em>
:issue:<code>7978</code>.</p>
</li>
<li>
<p>Fixed <code>web.FileResponse</code> doing blocking I/O in the event
loop.</p>
<p><em>Related issues and pull requests on GitHub:</em>
:issue:<code>8012</code>.</p>
</li>
<li>
<p>Fixed double compress when compression enabled and compressed file
exists in server file responses.</p>
<p><em>Related issues and pull requests on GitHub:</em>
:issue:<code>8014</code>.</p>
</li>
<li>
<p>Added runtime type check for <code>ClientSession</code>
<code>timeout</code> parameter.</p>
<p><em>Related issues and pull requests on GitHub:</em>
:issue:<code>8021</code>.</p>
</li>
<li>
<p>Fixed an unhandled exception in the Python HTTP parser on header
lines starting with a colon -- by :user:<code>pajod</code>.</p>
<p>Invalid request lines with anything but a dot between the HTTP major
and minor version are now rejected.
Invalid header field names containing question mark or slash are now
rejected.
Such requests are incompatible with :rfc:<code>9110#section-5.6.2</code>
and are not known to be of any legitimate use.</p>
<p><em>Related issues and pull requests on GitHub:</em>
:issue:<code>8074</code>.</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/24a6d64966d99182e95f5d3a29541ef2fec397ad"><code>24a6d64</code></a>
Release v3.9.2 (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/8082">#8082</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/9118a5831e8a65b8c839eb7e4ac983e040ff41df"><code>9118a58</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/8079">#8079</a>/1c335944
backport][3.9] Validate static paths (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/8080">#8080</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/435ad46e6c26cbf6ed9a38764e9ba8e7441a0e3b"><code>435ad46</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/3955">#3955</a>/8960063e
backport][3.9] Replace all tmpdir fixtures with tmp_path (...</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/d33bc21414e283c9e6fe7f6caf69e2ed60d66c82"><code>d33bc21</code></a>
Improve validation in HTTP parser (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/8074">#8074</a>)
(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/8078">#8078</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/0d945d1be08f2ba8475513216a66411f053c3217"><code>0d945d1</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7916">#7916</a>/822fbc74
backport][3.9] Add more information to contributing page (...</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/3ec4fa1f0e0a0dad218c75dbe5ed09e22d5cc284"><code>3ec4fa1</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/8069">#8069</a>/69bbe874
backport][3.9] 📝 Only show changelog draft for non-release...</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/419d715c42c46daf1a59e0aff61c1f6d10236982"><code>419d715</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/8066">#8066</a>/cba34699
backport][3.9] 💅📝 Restructure the changelog for clarity (#...</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/a54dab3b36bcf0d815b9244f52ae7bc5da08f387"><code>a54dab3</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/8049">#8049</a>/a379e634
backport][3.9] Set cause for ClientPayloadError (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/8050">#8050</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/437ac47fe332106a07a2d5335bb89619f1bc23f7"><code>437ac47</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7995">#7995</a>/43a5bc50
backport][3.9] Fix examples of
<code>fallback_charset_resolver</code>...</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/034e5e34ee11c6138c773d85123490e691e1b708"><code>034e5e3</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/8042">#8042</a>/4b91b530
backport][3.9] Tightening the runtime type check for ssl (...</li>
<li>Additional commits viewable in <a
href="https://github.com/aio-libs/aiohttp/compare/v3.9.0...v3.9.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aiohttp&package-manager=pip&previous-version=3.9.0&new-version=3.9.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/grafana/oncall/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 dev/scripts/generate-fake-data/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev/scripts/generate-fake-data/requirements.txt b/dev/scripts/generate-fake-data/requirements.txt
index 712c7bac..f51b2dca 100644
--- a/dev/scripts/generate-fake-data/requirements.txt
+++ b/dev/scripts/generate-fake-data/requirements.txt
@@ -1,3 +1,3 @@
-aiohttp==3.9.0
+aiohttp==3.9.2
 Faker==16.4.0
 tqdm==4.64.1