getsentry
diff --git a/‎.github/workflows/build-clients.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/build-clients.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.secret_scan_ignore‎
Lines changed: 4 additions & 0 deletions b/‎.secret_scan_ignore‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.vscode/settings.json‎
Lines changed: 3 additions & 0 deletions b/‎.vscode/settings.json‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 2 additions & 0 deletions b/‎Cargo.toml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎clients/python/README.md‎
Lines changed: 12 additions & 0 deletions b/‎clients/python/README.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎clients/python/docs/objectstore_client.rst‎
Lines changed: 24 additions & 0 deletions b/‎clients/python/docs/objectstore_client.rst‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎clients/python/pyproject.toml‎
Lines changed: 5 additions & 5 deletions b/‎clients/python/pyproject.toml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎clients/python/src/objectstore_client/__init__.py‎
Lines changed: 3 additions & 0 deletions b/‎clients/python/src/objectstore_client/__init__.py‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎clients/python/src/objectstore_client/auth.py‎
Lines changed: 56 additions & 0 deletions b/‎clients/python/src/objectstore_client/auth.py‎
Lines changed: 56 additions & 0 deletions
@@ -19,7 +19,7 @@ jobs:
       - uses: astral-sh/setup-uv@5a7eac68fb9809dea845d802897dc5c723910fa3 # v7.1.3
 
       - name: Build artifacts
-        run: uv build --package objectstore-client
+        run: uv build --package objectstore-client --no-dev
 
       - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
 
@@ -0,0 +1,4 @@
+objectstore-test\/config\/ed25519\.private\.pem
+objectstore-test\/config\/ed25519\.public\.pem
+clients\/python\/tests\/ed25519\.private\.pem
+clients\/python\/tests\/ed25519\.public\.pem
@@ -19,5 +19,8 @@
   "[markdown]": {
     "editor.rulers": [80],
     "editor.tabSize": 2,
+  },
+  "[python]": {
+    "editor.rulers": [88],
   }
 }
@@ -36,6 +36,7 @@ futures-util = "0.3.31"
 http = "1.3.1"
 humantime = "2.2.0"
 humantime-serde = "1.1.1"
+jsonwebtoken = { version = "10.2.0", features = ["rust_crypto"] }
 merni = "0.1.3"
 mimalloc = { version = "0.1.48", features = ["v3", "override"] }
 rand = "0.9.1"
@@ -49,4 +50,5 @@ tokio = "1.47.0"
 tokio-stream = "0.1.17"
 tokio-util = "0.7.15"
 tracing = "0.1.41"
+tracing-subscriber = { version = "0.3.19", features = ["env-filter", "json"] }
 uuid = { version = "1.17.0", features = ["v4"] }
@@ -14,11 +14,21 @@ import urllib3
 from objectstore_client import (
     Client,
     NoOpMetricsBackend,
+    Permission,
     TimeToIdle,
     TimeToLive,
+    TokenGenerator,
     Usecase,
 )
 
+# Necessary when using Objectstore instances that enforce authorization checks.
+token_generator = TokenGenerator(
+    "my-key-id",
+    "<securely inject EdDSA private key>",
+    expiry_seconds=60,
+    permissions=Permission.max(),
+)
+
 # This should be stored in a global variable and reused, in order to reuse the connection
 client = Client(
     "http://localhost:8888",
@@ -31,6 +41,8 @@ client = Client(
     retries=3,      # Number of connection retries
     # For further customization, provide additional kwargs for urllib3.HTTPConnectionPool
     connection_kwargs={"maxsize": 10},
+    # Optionally, provide a token generator for Objectstore instances with authorization enforced
+    token_generator=token_generator,
 )
 
 # This could also be stored in a global/shared variable, as you will deal with a fixed number of usecases with statically defined defaults
 
@@ -9,6 +9,14 @@ objectstore\_client package
 Submodules
 ----------
 
+objectstore\_client.auth module
+-------------------------------
+
+.. automodule:: objectstore_client.auth
+   :members:
+   :show-inheritance:
+   :undoc-members:
+
 objectstore\_client.client module
 ---------------------------------
 
@@ -32,3 +40,19 @@ objectstore\_client.metrics module
    :members:
    :show-inheritance:
    :undoc-members:
+
+objectstore\_client.scope module
+--------------------------------
+
+.. automodule:: objectstore_client.scope
+   :members:
+   :show-inheritance:
+   :undoc-members:
+
+objectstore\_client.utils module
+--------------------------------
+
+.. automodule:: objectstore_client.utils
+   :members:
+   :show-inheritance:
+   :undoc-members:
@@ -3,20 +3,20 @@ name = "objectstore-client"
 version = "0.0.14"
 description = "Client SDK for Objectstore, the Sentry object storage platform"
 readme = "README.md"
-authors = [
-    {name = "Sentry", email = "oss@sentry.io"},
-]
-homepage = "https://getsentry.github.io/objectstore/"
-repository = "https://github.com/getsentry/objectstore"
+authors = [{ name = "Sentry", email = "oss@sentry.io" }]
 license = { file = "LICENSE.md" }
 requires-python = ">=3.11"
 dependencies = [
     "sentry-sdk>=2.42.1",
     "urllib3>=2.2.2",
     "zstandard>=0.18.0",
     "filetype>=1.2.0",
+    "PyJWT[crypto]>=2.10.1",
 ]
 
 [build-system]
 requires = ["uv_build"]
 build-backend = "uv_build"
+
+[dependency-groups]
+dev = []
@@ -1,3 +1,4 @@
+from objectstore_client.auth import Permission, TokenGenerator
 from objectstore_client.client import (
     Client,
     GetResponse,
@@ -23,8 +24,10 @@
     "Compression",
     "ExpirationPolicy",
     "Metadata",
+    "Permission",
     "TimeToIdle",
     "TimeToLive",
+    "TokenGenerator",
     "MetricsBackend",
     "NoOpMetricsBackend",
 ]
@@ -0,0 +1,56 @@
+from datetime import UTC, datetime, timedelta
+from enum import StrEnum
+from typing import Self
+
+import jwt
+
+from objectstore_client.scope import Scope
+
+
+class Permission(StrEnum):
+    """
+    Enum listing permissions that Objectstore tokens may be granted.
+    """
+
+    OBJECT_READ = "object.read"
+    OBJECT_WRITE = "object.write"
+    OBJECT_DELETE = "object.delete"
+
+    @classmethod
+    def max(cls) -> list[Self]:
+        return list(cls.__members__.values())
+
+
+class TokenGenerator:
+    def __init__(
+        self,
+        kid: str,
+        secret_key: str,
+        expiry_seconds: int = 60,
+        permissions: list[Permission] = Permission.max(),
+    ):
+        self.kid = kid
+        self.secret_key = secret_key
+        self.expiry_seconds = expiry_seconds
+        self.permissions = permissions
+
+    def sign_for_scope(self, usecase: str, scope: Scope) -> str:
+        """
+        Sign a JWT for the passed-in usecase and scope using the configured key
+        information, expiry, and permissions.
+
+        The JWT is signed using EdDSA, so `self.secret_key` must be an EdDSA private
+        key. `self.kid` is used by the Objectstore server to load the corresponding
+        public key from its configuration.
+        """
+        headers = {"kid": self.kid}
+        claims = {
+            "res": {
+                "os:usecase": usecase,
+                **{k: str(v) for k, v in scope.dict().items()},
+            },
+            "permissions": self.permissions,
+            "exp": datetime.now(tz=UTC) + timedelta(seconds=self.expiry_seconds),
+        }
+
+        return jwt.encode(claims, self.secret_key, algorithm="EdDSA", headers=headers)
Original file line number	Diff line number	Diff line change
`@@ -19,5 +19,8 @@`
`19`	`19`	`"[markdown]": {`
`20`	`20`	`"editor.rulers": [80],`
`21`	`21`	`"editor.tabSize": 2,`
	`22`	`+ },`
	`23`	`+ "[python]": {`
	`24`	`+ "editor.rulers": [88],`
`22`	`25`	`}`
`23`	`26`	`}`