Skip to content

feat(preprod): Create artifact download endpoint + associated authentication code #93865

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

feat(preprod): Create artifact download endpoint + associated authentication code #93865

wants to merge 5 commits into from
+552 −1

Conversation

NicoHinderling
Copy link
Contributor

I implemented the authentication logic that will power the monolith <> launchpad specific endpoints. The code is exactly how seer currently has its auth HTTP calls implemented. I put it in a shared space so that once this lands, we could potentially have the seer team share this underlying logic too. That way we don't have two different implementations of the same thing

As for "why this auth approach", I explored the different ways we currently have it implemented:

  1. Relay: Public key + signature validation + IP allowlists
  2. Cross-region RPC: Shared secret HMAC (RpcSignatureAuthentication)
  3. Seer: Custom shared secret HMAC (SeerRpcSignatureAuthentication)
  4. Codecov: JWT with shared signing secret
  5. Taskbroker: gRPC interceptor with shared secrets

I went with the #3 approach since our use case is pretty much identical to the Seer use case and the implementation seemed the most straightforward.

Security folks though, please weigh in here! You know best

I also created 1 of the 3 new endpoints that we need for the launchpad service. This one just allows our service to download the artifact file. I included it so that the full usage of this auth logic is apparent

@NicoHinderling NicoHinderling requested review from a team as code owners June 18, 2025 21:42
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Jun 18, 2025
NicoHinderling
NicoHinderling commented Jun 18, 2025
View reviewed changes
src/sentry/api/authentication.py
@@ -550,3 +551,120 @@ def authenticate_token(self, request: Request, token: str) -> tuple[Any, Any]:
sentry_sdk.get_isolation_scope().set_tag("rpc_auth", True)

return (AnonymousUser(), token)


def compare_service_signature(
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pretty much 1:1 rip of https://github.com/getsentry/sentry/blob/master/src/sentry/api/endpoints/seer_rpc.py#L60

@NicoHinderling NicoHinderling marked this pull request as draft June 18, 2025 21:54
NicoHinderling
NicoHinderling commented Jun 18, 2025
View reviewed changes
src/sentry/api/authentication.py
return False


class ServiceRpcSignatureAuthentication(StandardAuthentication):
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rip of https://github.com/getsentry/sentry/blob/master/src/sentry/api/endpoints/seer_rpc.py#L101

@NicoHinderling NicoHinderling marked this pull request as ready for review June 18, 2025 22:14
NicoHinderling
NicoHinderling commented Jun 18, 2025
View reviewed changes
src/sentry/preprod/authentication.py

shared_secret_setting_name = LAUNCHPAD_RPC_SHARED_SECRET_SETTING
service_name = "Launchpad"
sdk_tag_name = "launchpad_rpc_auth"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could just create another version of this but for seer cc @jennmueng

@codecov Codecov
Copy link

codecov bot commented Jun 18, 2025
edited
Loading

❌ 4 Tests Failed:

Tests completed Failed Passed Skipped
26661 4 26657 240
View the top 3 failed test(s) by shortest run time 
tests.snuba.tagstore.test_tagstore_backend.TagStorageTest::test_get_top_group_tag_values_generic
Stack Traces | 7.64s run time 
#x1B[1m#x1B[.../snuba/tagstore/test_tagstore_backend.py#x1B[0m:367: in test_get_top_group_tag_values_generic
    resp = self.ts.get_top_group_tag_values(
#x1B[1m#x1B[.../tagstore/snuba/backend.py#x1B[0m:677: in get_top_group_tag_values
    tag = self.__get_tag_key_and_top_values(
#x1B[1m#x1B[.../tagstore/snuba/backend.py#x1B[0m:209: in __get_tag_key_and_top_values
    raise TagKeyNotFound if group is None else GroupTagKeyNotFound
#x1B[1m#x1B[31mE   sentry.tagstore.exceptions.GroupTagKeyNotFound#x1B[0m
tests.snuba.tagstore.test_tagstore_backend.TagStorageTest::test_get_group_tag_value_count_generic
Stack Traces | 7.92s run time 
#x1B[1m#x1B[.../snuba/tagstore/test_tagstore_backend.py#x1B[0m:400: in test_get_group_tag_value_count_generic
    assert (
#x1B[1m#x1B[31mE   AssertionError: assert 0 == 1#x1B[0m
#x1B[1m#x1B[31mE    +  where 0 = <bound method SnubaTagStorage.get_group_tag_value_count of <sentry.tagstore.snuba.backend.SnubaTagStorage object at 0x7fc1393d0500>>(<Group at 0x7fc169154e10: id=388, project_id=4556270440022016>, 285, 'foo', {'organization_id': 1234, 'referrer': 'tagstore.get_group_tag_value_count'})#x1B[0m
#x1B[1m#x1B[31mE    +    where <bound method SnubaTagStorage.get_group_tag_value_count of <sentry.tagstore.snuba.backend.SnubaTagStorage object at 0x7fc1393d0500>> = <sentry.tagstore.snuba.backend.SnubaTagStorage object at 0x7fc1393d0500>.get_group_tag_value_count#x1B[0m
#x1B[1m#x1B[31mE    +      where <sentry.tagstore.snuba.backend.SnubaTagStorage object at 0x7fc1393d0500> = <tests.snuba.tagstore.test_tagstore_backend.TagStorageTest testMethod=test_get_group_tag_value_count_generic>.ts#x1B[0m
#x1B[1m#x1B[31mE    +    and   285 = <Environment at 0x7fc1391a0d50: id=285, organization_id=4556270439956480, name='test'>.id#x1B[0m
tests.snuba.tagstore.test_tagstore_backend.TagStorageTest::test_get_group_tag_keys_and_top_values_generic_issue
Stack Traces | 8.02s run time 
#x1B[1m#x1B[.../snuba/tagstore/test_tagstore_backend.py#x1B[0m:295: in test_get_group_tag_keys_and_top_values_generic_issue
    assert set(tags) == {"foo", "biz", "environment", "sentry:user", "level", "sentry:release"}
#x1B[1m#x1B[31mE   AssertionError: assert set() == {'biz', 'envi...'sentry:user'}#x1B[0m
#x1B[1m#x1B[31mE     #x1B[0m
#x1B[1m#x1B[31mE     Extra items in the right set:#x1B[0m
#x1B[1m#x1B[31mE     'sentry:release'#x1B[0m
#x1B[1m#x1B[31mE     'biz'#x1B[0m
#x1B[1m#x1B[31mE     'foo'#x1B[0m
#x1B[1m#x1B[31mE     'level'#x1B[0m
#x1B[1m#x1B[31mE     'environment'#x1B[0m
#x1B[1m#x1B[31mE     'sentry:user'#x1B[0m
#x1B[1m#x1B[31mE     #x1B[0m
#x1B[1m#x1B[31mE     Full diff:#x1B[0m
#x1B[1m#x1B[31mE     + set()#x1B[0m
#x1B[1m#x1B[31mE     - {#x1B[0m
#x1B[1m#x1B[31mE     -     'biz',#x1B[0m
#x1B[1m#x1B[31mE     -     'environment',#x1B[0m
#x1B[1m#x1B[31mE     -     'foo',#x1B[0m
#x1B[1m#x1B[31mE     -     'level',#x1B[0m
#x1B[1m#x1B[31mE     -     'sentry:release',#x1B[0m
#x1B[1m#x1B[31mE     -     'sentry:user',#x1B[0m
#x1B[1m#x1B[31mE     - }#x1B[0m

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

@NicoHinderling NicoHinderling force-pushed the new-launchpad-endpoints branch from 9ce5c17 to 3bd37f8 Compare June 18, 2025 23:48
jennmueng
jennmueng reviewed Jun 19, 2025
View reviewed changes
Copy link
Member

@jennmueng jennmueng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, looks like we can definitely share it with Seer once it's in. I'm definitely not the best person to review this though, @mdtro will be.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jennmueng jennmueng jennmueng left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Scope: Backend Automatically applied to PRs that change backend components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@NicoHinderling @jennmueng