DNM feat(preprod): Add distribution:read scope

Author: chromy

src/sentry/api/bases/project.py

@@ -120,6 +120,15 @@ class ProjectOwnershipPermission(ProjectPermission):
     }
 
 
+class ProjectDistributionPermission(ProjectPermission):
+    scope_map = {
+        "GET": ["project:read", "project:write", "project:admin", "distribution:read", "org:ci"],
+        "POST": ["project:write", "project:admin"],
+        "PUT": ["project:read", "project:write", "project:admin"],
+        "DELETE": ["project:admin"],
+    }
+
+
 class ProjectEndpoint(Endpoint):
     permission_classes: tuple[type[BasePermission], ...] = (ProjectPermission,)
 

src/sentry/conf/server.py

@@ -1727,6 +1727,7 @@ def custom_parameter_sort(parameter: dict) -> tuple[str, int]:
     "event:admin",
     "alerts:read",
     "alerts:write",
+    "distribution:read",
     # openid, profile, and email aren't prefixed to maintain compliance with the OIDC spec.
     # https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes.
     "openid",
@@ -1741,6 +1742,7 @@ def custom_parameter_sort(parameter: dict) -> tuple[str, int]:
     "project:read",
     "event:read",
     "alerts:read",
+    "distribution:read",
 }
 
 SENTRY_SCOPE_HIERARCHY_MAPPING = {
@@ -1765,6 +1767,7 @@ def custom_parameter_sort(parameter: dict) -> tuple[str, int]:
     "event:admin": {"event:read", "event:write", "event:admin"},
     "alerts:read": {"alerts:read"},
     "alerts:write": {"alerts:read", "alerts:write"},
+    "distribution:read": {"distribution:read"},
     "openid": {"openid"},
     "profile": {"profile"},
     "email": {"email"},
@@ -1808,6 +1811,7 @@ def custom_parameter_sort(parameter: dict) -> tuple[str, int]:
         ("alerts:write", "Read and write alerts"),
         ("alerts:read", "Read alerts"),
     ),
+    (("distribution:read", "Read access to builds."),),
     (("openid", "Confirms authentication status and provides basic information."),),
     (
         (
@@ -1843,6 +1847,7 @@ def custom_parameter_sort(parameter: dict) -> tuple[str, int]:
             "team:read",
             "alerts:read",
             "alerts:write",
+            "distribution:read",
         },
     },
     {
@@ -1875,6 +1880,7 @@ def custom_parameter_sort(parameter: dict) -> tuple[str, int]:
             "org:integrations",
             "alerts:read",
             "alerts:write",
+            "distribution:read",
         },
         "is_retired": True,
     },
@@ -1902,6 +1908,7 @@ def custom_parameter_sort(parameter: dict) -> tuple[str, int]:
             "org:integrations",
             "alerts:read",
             "alerts:write",
+            "distribution:read",
         },
         "is_global": True,
     },
@@ -1936,6 +1943,7 @@ def custom_parameter_sort(parameter: dict) -> tuple[str, int]:
             "event:admin",
             "alerts:read",
             "alerts:write",
+            "distribution:read",
         },
         "is_global": True,
     },
@@ -1956,6 +1964,7 @@ def custom_parameter_sort(parameter: dict) -> tuple[str, int]:
             "member:read",
             "team:read",
             "alerts:read",
+            "distribution:read",
             # "alerts:write",  # Scope granted/withdrawn by "sentry:alerts_member_write" to org-level role
         },
     },
@@ -1985,6 +1994,7 @@ def custom_parameter_sort(parameter: dict) -> tuple[str, int]:
             "org:integrations",
             "alerts:read",
             "alerts:write",
+            "distribution:read",
         },
         "is_minimum_role_for": "admin",
     },

src/sentry/models/apiscopes.py

@@ -33,6 +33,8 @@ class ApiScopes(Sequence):
 
     alerts = (("alerts:read"), ("alerts:write"))
 
+    distribution = (("distribution:read"),)
+
     def __init__(self):
         self.scopes = (
             self.__class__.project
@@ -41,6 +43,7 @@ def __init__(self):
             + self.__class__.org
             + self.__class__.member
             + self.__class__.alerts
+            + self.__class__.distribution
         )
 
     def __getitem__(self, value):
@@ -85,6 +88,7 @@ class Meta:
             "alerts:read": bool,
             "alerts:write": bool,
             "member:invite": bool,
+            "distribution:read": bool,
         },
     )
     assert set(ScopesDict.__annotations__) == set(ApiScopes())

src/sentry/preprod/api/endpoints/project_preprod_check_for_updates.py

@@ -8,7 +8,7 @@
 from sentry.api.api_owners import ApiOwner
 from sentry.api.api_publish_status import ApiPublishStatus
 from sentry.api.base import region_silo_endpoint
-from sentry.api.bases.project import ProjectEndpoint, ProjectReleasePermission
+from sentry.api.bases.project import ProjectDistributionPermission, ProjectEndpoint
 from sentry.preprod.build_distribution_utils import (
     get_download_url_for_artifact,
     is_installable_artifact,
@@ -41,7 +41,7 @@ class ProjectPreprodArtifactCheckForUpdatesEndpoint(ProjectEndpoint):
     publish_status = {
         "GET": ApiPublishStatus.EXPERIMENTAL,
     }
-    permission_classes = (ProjectReleasePermission,)
+    permission_classes = (ProjectDistributionPermission,)
 
     enforce_rate_limit = True
     rate_limits = RateLimitConfig(

static/app/constants/index.tsx

@@ -32,6 +32,7 @@ export const DEFAULT_APP_ROUTE = USING_CUSTOMER_DOMAIN
 export const API_ACCESS_SCOPES = [
   'alerts:read',
   'alerts:write',
+  'distribution:read',
   'event:admin',
   'event:read',
   'event:write',
@@ -54,6 +55,7 @@ export const API_ACCESS_SCOPES = [
 export const ALLOWED_SCOPES = [
   'alerts:read',
   'alerts:write',
+  'distribution:read',
   'event:admin',
   'event:read',
   'event:write',
@@ -208,6 +210,14 @@ export const SENTRY_APP_PERMISSIONS: PermissionObj[] = [
       write: {label: 'Read & Write', scopes: ['alerts:read', 'alerts:write']},
     },
   },
+  {
+    resource: 'Distribution',
+    help: 'Download and install uploaded builds',
+    choices: {
+      'no-access': {label: 'No Access', scopes: []},
+      read: {label: 'Read', scopes: ['distribution:read']},
+    },
+  },
 ];
 
 export const DEFAULT_TOAST_DURATION = 6000;

static/app/types/integrations.tsx

@@ -17,6 +17,7 @@ import type {User} from './user';
 export type PermissionValue = 'no-access' | 'read' | 'write' | 'admin';
 
 export type Permissions = {
+  Distribution: PermissionValue;
   Event: PermissionValue;
   Member: PermissionValue;
   Organization: PermissionValue;

static/app/utils/consolidatedScopes.tsx

@@ -19,6 +19,7 @@ const HUMAN_RESOURCE_NAMES = {
   org: 'Organization',
   member: 'Member',
   alerts: 'Alerts',
+  distribution: 'Distribution',
 };
 
 const DEFAULT_RESOURCE_PERMISSIONS: Permissions = {
@@ -29,6 +30,7 @@ const DEFAULT_RESOURCE_PERMISSIONS: Permissions = {
   Organization: 'no-access',
   Member: 'no-access',
   Alerts: 'no-access',
+  Distribution: 'no-access',
 };
 
 const PROJECT_RELEASES = 'project:releases';

static/app/views/settings/account/apiNewToken.tsx

@@ -29,6 +29,7 @@ export default function ApiNewToken() {
     Release: 'no-access',
     Organization: 'no-access',
     Alerts: 'no-access',
+    Distribution: 'no-access',
   });
   const navigate = useNavigate();
   const [hasNewToken, setHasnewToken] = useState(false);

static/app/views/settings/organizationDeveloperSettings/permissionSelection.spec.tsx

@@ -23,6 +23,7 @@ describe('PermissionSelection', () => {
             Project: 'write',
             Release: 'admin',
             Organization: 'admin',
+            Distribution: 'no-access',
           }}
           onChange={onChange}
         />
@@ -38,6 +39,7 @@ describe('PermissionSelection', () => {
     expect(screen.getByRole('textbox', {name: 'Issue & Event'})).toBeInTheDocument();
     expect(screen.getByRole('textbox', {name: 'Organization'})).toBeInTheDocument();
     expect(screen.getByRole('textbox', {name: 'Member'})).toBeInTheDocument();
+    expect(screen.getByRole('textbox', {name: 'Distribution'})).toBeInTheDocument();
   });
 
   it('lists human readable permissions', async () => {
@@ -54,6 +56,7 @@ describe('PermissionSelection', () => {
     await expectOptions('Issue & Event', ['No Access', 'Read', 'Read & Write', 'Admin']);
     await expectOptions('Organization', ['No Access', 'Read', 'Read & Write', 'Admin']);
     await expectOptions('Member', ['No Access', 'Read', 'Read & Write', 'Admin']);
+    await expectOptions('Distribution', ['No Access', 'Read']);
   });
 
   it('stores the permissions the User has selected', async () => {
@@ -67,12 +70,14 @@ describe('PermissionSelection', () => {
     await selectByValue('Issue & Event', 'Admin');
     await selectByValue('Organization', 'Read');
     await selectByValue('Member', 'No Access');
+    await selectByValue('Distribution', 'No Access');
 
     expect(model.getValue('Project--permission')).toBe('write');
     expect(model.getValue('Team--permission')).toBe('read');
     expect(model.getValue('Release--permission')).toBe('admin');
     expect(model.getValue('Event--permission')).toBe('admin');
     expect(model.getValue('Organization--permission')).toBe('read');
     expect(model.getValue('Member--permission')).toBe('no-access');
+    expect(model.getValue('Distribution--permission')).toBe('no-access');
   });
 });

static/app/views/settings/organizationDeveloperSettings/resourceSubscriptions.spec.tsx

@@ -17,6 +17,7 @@ describe('Resource Subscriptions', () => {
               Release: 'admin',
               Organization: 'admin',
               Member: 'admin',
+              Distribution: 'no-access',
             }}
             onChange={jest.fn()}
           />
@@ -42,6 +43,7 @@ describe('Resource Subscriptions', () => {
               Release: 'admin',
               Organization: 'admin',
               Member: 'admin',
+              Distribution: 'no-access',
             }}
             onChange={jest.fn()}
           />
@@ -67,6 +69,7 @@ describe('Resource Subscriptions', () => {
               Release: 'admin',
               Organization: 'admin',
               Member: 'admin',
+              Distribution: 'no-access',
             }}
             onChange={jest.fn()}
           />
@@ -90,6 +93,7 @@ describe('Resource Subscriptions', () => {
               Release: 'admin',
               Organization: 'admin',
               Member: 'admin',
+              Distribution: 'no-access',
             }}
             onChange={jest.fn()}
           />