feat(preprod): Create artifact download endpoint + associated authentication code (#93865)

NicoHinderling · web-flow · commit e1d511f9cad5 · 2025-06-24T15:03:03.000-07:00
I implemented the authentication logic that will power the monolith <> launchpad specific endpoints. The code is exactly how seer currently has its auth HTTP calls implemented. I put it in a shared space so that once this lands, we could potentially have the seer team share this underlying logic too. That way we don't have two different implementations of the same thing As for "why this auth approach", I explored the different ways we currently have it implemented: 1. Relay: Public key + signature validation + IP allowlists 2. Cross-region RPC: Shared secret HMAC (RpcSignatureAuthentication) 3. Seer: Custom shared secret HMAC (SeerRpcSignatureAuthentication) 4. Codecov: JWT with shared signing secret 5. Taskbroker: gRPC interceptor with shared secrets I went with the #3 approach since our use case is pretty much identical to the Seer use case and the implementation seemed the most straightforward. Security folks though, please weigh in here! You know best I also created 1 of the 3 new endpoints that we need for the launchpad service. This one just allows our service to download the artifact file. I included it so that the full usage of this auth logic is apparent
diff --git a/src/sentry/api/authentication.py b/src/sentry/api/authentication.py
@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import hashlib
+import hmac
 import logging
 from collections.abc import Callable, Iterable
 from typing import Any, ClassVar
@@ -25,7 +26,7 @@
 from sentry.auth.services.auth import AuthenticatedToken
 from sentry.auth.system import SystemToken, is_internal_ip
 from sentry.hybridcloud.models import ApiKeyReplica, ApiTokenReplica, OrgAuthTokenReplica
-from sentry.hybridcloud.rpc.service import compare_signature
+from sentry.hybridcloud.rpc.service import RpcAuthenticationSetupException, compare_signature
 from sentry.models.apiapplication import ApiApplication
 from sentry.models.apikey import ApiKey
 from sentry.models.apitoken import ApiToken
@@ -550,3 +551,98 @@ def authenticate_token(self, request: Request, token: str) -> tuple[Any, Any]:
         sentry_sdk.get_isolation_scope().set_tag("rpc_auth", True)
 
         return (AnonymousUser(), token)
+
+
+def compare_service_signature(
+    url: str,
+    body: bytes,
+    signature: str,
+    shared_secret_setting: list[str],
+    service_name: str,
+) -> bool:
+    """
+    Generic function to compare request data + signature signed by one of the shared secrets.
+
+    Once a key has been able to validate the signature other keys will
+    not be attempted. We should only have multiple keys during key rotations.
+
+    Args:
+        url: The request URL path
+        body: The request body
+        signature: The signature to validate
+        shared_secret_setting: List of shared secrets from settings
+        service_name: Name of the service for logging (e.g., "Seer", "Launchpad")
+    """
+
+    if not shared_secret_setting:
+        raise RpcAuthenticationSetupException(
+            f"Cannot validate {service_name} RPC request signatures without shared secret"
+        )
+
+    # Ensure no empty secrets
+    if any(not secret.strip() for secret in shared_secret_setting):
+        raise RpcAuthenticationSetupException(
+            f"Cannot validate {service_name} RPC request signatures with empty shared secret"
+        )
+
+    if not signature.startswith("rpc0:"):
+        logger.error("%s RPC signature validation failed: invalid signature prefix", service_name)
+        return False
+
+    try:
+        # We aren't using the version bits currently.
+        _, signature_data = signature.split(":", 2)
+
+        signature_input = body
+
+        for key in shared_secret_setting:
+            computed = hmac.new(key.encode(), signature_input, hashlib.sha256).hexdigest()
+            is_valid = constant_time_compare(computed.encode(), signature_data.encode())
+            if is_valid:
+                return True
+    except Exception:
+        logger.exception("%s RPC signature validation failed", service_name)
+        return False
+
+    logger.error("%s RPC signature validation failed", service_name)
+
+    return False
+
+
+class ServiceRpcSignatureAuthentication(StandardAuthentication):
+    """
+    Generic authentication for service RPC requests.
+    Requests are sent with an HMAC signed by a shared private key.
+
+    Subclasses should define:
+    - shared_secret_setting_name: str - name of the settings attribute (e.g., "SEER_RPC_SHARED_SECRET")
+    - service_name: str - name of the service for logging (e.g., "Seer", "Launchpad")
+    - sdk_tag_name: str - name for the SDK tag (e.g., "seer_rpc_auth", "launchpad_rpc_auth")
+    """
+
+    token_name = b"rpcsignature"
+    shared_secret_setting_name: str
+    service_name: str
+    sdk_tag_name: str
+
+    def accepts_auth(self, auth: list[bytes]) -> bool:
+        if not auth or len(auth) < 2:
+            return False
+        return auth[0].lower() == self.token_name
+
+    def authenticate_token(self, request: Request, token: str) -> tuple[Any, Any]:
+        shared_secret_setting = getattr(settings, self.shared_secret_setting_name, None)
+
+        if shared_secret_setting is None:
+            raise RpcAuthenticationSetupException(
+                f"Cannot validate {self.service_name} RPC request signatures without shared secret"
+            )
+
+        if not compare_service_signature(
+            request.path_info, request.body, token, shared_secret_setting, self.service_name
+        ):
+            raise AuthenticationFailed("Invalid signature")
+
+        sentry_sdk.get_isolation_scope().set_tag(self.sdk_tag_name, True)
+
+        return (AnonymousUser(), token)
diff --git a/src/sentry/api/urls.py b/src/sentry/api/urls.py
@@ -3276,6 +3276,7 @@ def create_group_urls(name_prefix: str) -> list[URLPattern | URLResolver]:
         EmailCaptureEndpoint.as_view(),
         name="sentry-demo-mode-email-capture",
     ),
+    *preprod_urls.preprod_internal_urlpatterns,
 ]
 
 PREVENT_URLS = [
diff --git a/src/sentry/conf/server.py b/src/sentry/conf/server.py
@@ -710,6 +710,9 @@ def SOCIAL_AUTH_DEFAULT_USERNAME() -> str:
 # Shared secret used to sign cross-region RPC requests to the seer microservice.
 SEER_API_SHARED_SECRET: str = ""
 
+# Shared secret used to sign cross-region RPC requests from the launchpad microservice.
+LAUNCHPAD_RPC_SHARED_SECRET: list[str] | None = None
+
 # The protocol, host and port for control silo
 # Usecases include sending requests to the Integration Proxy Endpoint and RPC requests.
 SENTRY_CONTROL_ADDRESS: str | None = os.environ.get("SENTRY_CONTROL_ADDRESS", None)
@@ -3967,6 +3970,7 @@ def custom_parameter_sort(parameter: dict) -> tuple[str, int]:
     ]
     RPC_TIMEOUT = 15.0
     SEER_RPC_SHARED_SECRET = ["seers-also-very-long-value-haha"]
+    LAUNCHPAD_RPC_SHARED_SECRET = ["launchpad-also-very-long-value-haha"]
 
     # Key for signing integration proxy requests.
     SENTRY_SUBNET_SECRET = "secret-subnet-signature"
diff --git a/src/sentry/preprod/api/endpoints/project_preprod_artifact_download.py b/src/sentry/preprod/api/endpoints/project_preprod_artifact_download.py
@@ -0,0 +1,91 @@
+import posixpath
+
+from django.http.response import FileResponse, HttpResponseBase
+from rest_framework.exceptions import PermissionDenied
+from rest_framework.request import Request
+from rest_framework.response import Response
+
+from sentry.api.api_owners import ApiOwner
+from sentry.api.api_publish_status import ApiPublishStatus
+from sentry.api.base import region_silo_endpoint
+from sentry.api.bases.project import ProjectEndpoint
+from sentry.api.endpoints.project_release_file_details import ClosesDependentFiles
+from sentry.models.files.file import File
+from sentry.preprod.authentication import LaunchpadRpcSignatureAuthentication
+from sentry.preprod.models import PreprodArtifact
+
+
+@region_silo_endpoint
+class ProjectPreprodArtifactDownloadEndpoint(ProjectEndpoint):
+    owner = ApiOwner.EMERGE_TOOLS
+    publish_status = {
+        "GET": ApiPublishStatus.PRIVATE,
+    }
+    authentication_classes = (LaunchpadRpcSignatureAuthentication,)
+    permission_classes = ()
+
+    def _is_authorized(self, request: Request) -> bool:
+        if request.auth and isinstance(
+            request.successful_authenticator, LaunchpadRpcSignatureAuthentication
+        ):
+            return True
+        return False
+
+    def get(self, request: Request, project, artifact_id) -> HttpResponseBase:
+        """
+        Download a preprod artifact file
+        ```````````````````````````````
+
+        Download the actual file contents of a preprod artifact.
+
+        :pparam string organization_id_or_slug: the id or slug of the organization the
+                                          artifact belongs to.
+        :pparam string project_id_or_slug: the id or slug of the project to retrieve the
+                                     artifact from.
+        :pparam string artifact_id: the ID of the preprod artifact to download.
+        :auth: required
+        """
+        if not self._is_authorized(request):
+            raise PermissionDenied
+
+        try:
+            preprod_artifact = PreprodArtifact.objects.get(
+                project=project,
+                id=artifact_id,
+            )
+        except PreprodArtifact.DoesNotExist:
+            return Response({"error": f"Preprod artifact {artifact_id} not found"}, status=404)
+
+        if preprod_artifact.file_id is None:
+            return Response({"error": "Preprod artifact file not available"}, status=404)
+
+        if preprod_artifact.state != PreprodArtifact.ArtifactState.PROCESSED:
+            return Response(
+                {
+                    "error": f"Preprod artifact is not ready for download (state: {preprod_artifact.get_state_display()})"
+                },
+                status=400,
+            )
+
+        try:
+            file_obj = File.objects.get(id=preprod_artifact.file_id)
+        except File.DoesNotExist:
+            return Response({"error": "Preprod artifact file not found"}, status=404)
+
+        try:
+            fp = file_obj.getfile()
+        except Exception:
+            return Response({"error": "Failed to retrieve preprod artifact file"}, status=500)
+
+        # All preprod artifacts are zip files
+        filename = f"preprod_artifact_{artifact_id}.zip"
+
+        response = FileResponse(
+            ClosesDependentFiles(fp),
+            content_type="application/octet-stream",
+        )
+
+        response["Content-Length"] = file_obj.size
+        response["Content-Disposition"] = f'attachment; filename="{posixpath.basename(filename)}"'
+
+        return response
diff --git a/src/sentry/preprod/api/endpoints/urls.py b/src/sentry/preprod/api/endpoints/urls.py
@@ -1,6 +1,7 @@
 from django.urls import re_path
 
 from .organization_preprod_artifact_assemble import ProjectPreprodArtifactAssembleEndpoint
+from .project_preprod_artifact_download import ProjectPreprodArtifactDownloadEndpoint
 
 preprod_urlpatterns = [
     re_path(
@@ -9,3 +10,11 @@
         name="sentry-api-0-assemble-preprod-artifact-files",
     ),
 ]
+
+preprod_internal_urlpatterns = [
+    re_path(
+        r"^(?P<organization_id_or_slug>[^/]+)/(?P<project_id_or_slug>[^/]+)/files/preprodartifacts/(?P<artifact_id>[^/]+)/$",
+        ProjectPreprodArtifactDownloadEndpoint.as_view(),
+        name="sentry-api-0-project-preprod-artifact-download",
+    ),
+]
diff --git a/src/sentry/preprod/authentication.py b/src/sentry/preprod/authentication.py
@@ -0,0 +1,16 @@
+from sentry.api.authentication import AuthenticationSiloLimit, ServiceRpcSignatureAuthentication
+from sentry.silo.base import SiloMode
+
+LAUNCHPAD_RPC_SHARED_SECRET_SETTING = "LAUNCHPAD_RPC_SHARED_SECRET"
+
+
+@AuthenticationSiloLimit(SiloMode.REGION)
+class LaunchpadRpcSignatureAuthentication(ServiceRpcSignatureAuthentication):
+    """
+    Authentication for Launchpad RPC requests.
+    Requests are sent with an HMAC signed by a shared private key.
+    """
+
+    shared_secret_setting_name = LAUNCHPAD_RPC_SHARED_SECRET_SETTING
+    service_name = "Launchpad"
+    sdk_tag_name = "launchpad_rpc_auth"
diff --git a/src/sentry/testutils/auth.py b/src/sentry/testutils/auth.py
@@ -0,0 +1,33 @@
+import hashlib
+import hmac
+
+from sentry.hybridcloud.rpc.service import RpcAuthenticationSetupException
+
+
+def generate_service_request_signature(
+    url_path: str, body: bytes, shared_secret_setting: list[str] | None, service_name: str
+) -> str:
+    """
+    Generate a signature for the request body with the first shared secret.
+    If there are other shared secrets in the list they are only to be used
+    for verification during key rotation.
+
+    Args:
+        url_path: The request URL path (unused but kept for compatibility)
+        body: The request body to sign
+        shared_secret_setting: List of shared secrets from settings
+        service_name: Name of the service for error messages
+
+    NOTE: This function is used only for testing and has been moved from
+    production code since no actual services are using it in production yet.
+    """
+
+    if not shared_secret_setting:
+        raise RpcAuthenticationSetupException(
+            f"Cannot sign {service_name} RPC requests without shared secret"
+        )
+
+    signature_input = body
+    secret = shared_secret_setting[0]
+    signature = hmac.new(secret.encode("utf-8"), signature_input, hashlib.sha256).hexdigest()
+    return f"rpc0:{signature}"
diff --git a/tests/sentry/api/endpoints/test_project_preprod_artifact_download.py b/tests/sentry/api/endpoints/test_project_preprod_artifact_download.py
@@ -0,0 +1,92 @@
+from django.test import override_settings
+
+from sentry.preprod.models import PreprodArtifact
+from sentry.testutils.auth import generate_service_request_signature
+from sentry.testutils.cases import TestCase
+
+
+class ProjectPreprodArtifactDownloadEndpointTest(TestCase):
+    def setUp(self):
+        super().setUp()
+
+        # Create a test file
+        self.file = self.create_file(
+            name="test_artifact.apk",
+            type="application/octet-stream",
+        )
+
+        # Create a preprod artifact
+        self.preprod_artifact = PreprodArtifact.objects.create(
+            project=self.project,
+            file_id=self.file.id,
+            state=PreprodArtifact.ArtifactState.PROCESSED,
+            artifact_type=PreprodArtifact.ArtifactType.APK,
+        )
+
+    def _get_authenticated_request_headers(self, path, data=b""):
+        """Generate the RPC signature authentication headers for the request."""
+        signature = generate_service_request_signature(path, data, ["test-secret-key"], "Launchpad")
+        return {"HTTP_AUTHORIZATION": f"rpcsignature {signature}"}
+
+    @override_settings(LAUNCHPAD_RPC_SHARED_SECRET=["test-secret-key"])
+    def test_download_preprod_artifact_success(self):
+        url = f"/api/0/internal/{self.organization.slug}/{self.project.slug}/files/preprodartifacts/{self.preprod_artifact.id}/"
+
+        headers = self._get_authenticated_request_headers(url)
+
+        with self.feature("organizations:preprod-artifact-assemble"):
+            response = self.client.get(url, **headers)
+
+        assert response.status_code == 200
+        assert response["Content-Type"] == "application/octet-stream"
+        assert "attachment" in response["Content-Disposition"]
+
+    @override_settings(LAUNCHPAD_RPC_SHARED_SECRET=["test-secret-key"])
+    def test_download_preprod_artifact_not_found(self):
+        url = f"/api/0/internal/{self.organization.slug}/{self.project.slug}/files/preprodartifacts/999999/"
+
+        headers = self._get_authenticated_request_headers(url)
+
+        with self.feature("organizations:preprod-artifact-assemble"):
+            response = self.client.get(url, **headers)
+
+        assert response.status_code == 404
+        assert "not found" in response.json()["error"]
+
+    @override_settings(LAUNCHPAD_RPC_SHARED_SECRET=["test-secret-key"])
+    def test_download_preprod_artifact_not_processed(self):
+        # Create an artifact that's not processed yet
+        unprocessed_artifact = PreprodArtifact.objects.create(
+            project=self.project,
+            file_id=self.file.id,
+            state=PreprodArtifact.ArtifactState.UPLOADING,
+        )
+
+        url = f"/api/0/internal/{self.organization.slug}/{self.project.slug}/files/preprodartifacts/{unprocessed_artifact.id}/"
+
+        headers = self._get_authenticated_request_headers(url)
+
+        with self.feature("organizations:preprod-artifact-assemble"):
+            response = self.client.get(url, **headers)
+
+        assert response.status_code == 400
+        assert "not ready for download" in response.json()["error"]
+
+    @override_settings(LAUNCHPAD_RPC_SHARED_SECRET=["test-secret-key"])
+    def test_download_preprod_artifact_no_file(self):
+        # Create an artifact without a file
+        no_file_artifact = PreprodArtifact.objects.create(
+            project=self.project,
+            file_id=None,
+            state=PreprodArtifact.ArtifactState.PROCESSED,
+        )
+
+        url = f"/api/0/internal/{self.organization.slug}/{self.project.slug}/files/preprodartifacts/{no_file_artifact.id}/"
+
+        headers = self._get_authenticated_request_headers(url)
+
+        with self.feature("organizations:preprod-artifact-assemble"):
+            response = self.client.get(url, **headers)
+
+        assert response.status_code == 404
+        assert "file not available" in response.json()["error"]
diff --git a/tests/sentry/api/test_authentication.py b/tests/sentry/api/test_authentication.py

Original file line number	Diff line number	Diff line change
`@@ -3276,6 +3276,7 @@ def create_group_urls(name_prefix: str) -> list[URLPattern \| URLResolver]:`
`3276`	`3276`	`EmailCaptureEndpoint.as_view(),`
`3277`	`3277`	`name="sentry-demo-mode-email-capture",`
`3278`	`3278`	`),`
	`3279`	`+ *preprod_urls.preprod_internal_urlpatterns,`
`3279`	`3280`	`]`
`3280`	`3281`
`3281`	`3282`	`PREVENT_URLS = [`