feat(preprod): Make snapshots endpoint org scoped (#109575)

<!-- Describe your PR here. -->

<!--

  Sentry employees and contractors can delete or ignore the following.

-->

### Legal Boilerplate

Look, I get it. The entity doing business as "Sentry" was incorporated
in the State of Delaware in 2015 as Functional Software, Inc. and is
gonna need some rights from me in order to utilize my contributions in
this here PR. So here's the deal: I retain all rights, title and
interest in and to my contributions, and by keeping this boilerplate
intact I confirm that Sentry can use, modify, copy, and redistribute my
contributions, under Sentry's choice of terms.

Author: NicoHinderling

src/sentry/preprod/api/endpoints/preprod_artifact_snapshot.py

@@ -14,9 +14,11 @@
 from sentry.api.api_owners import ApiOwner
 from sentry.api.api_publish_status import ApiPublishStatus
 from sentry.api.base import region_silo_endpoint
+from sentry.api.bases.organization import OrganizationEndpoint, OrganizationReleasePermission
 from sentry.api.bases.project import ProjectEndpoint, ProjectReleasePermission
 from sentry.api.paginator import OffsetPaginator
 from sentry.models.commitcomparison import CommitComparison
+from sentry.models.organization import Organization
 from sentry.models.project import Project
 from sentry.objectstore import get_preprod_session
 from sentry.preprod.analytics import PreprodArtifactApiGetSnapshotDetailsEvent
@@ -79,35 +81,22 @@ def validate_preprod_snapshot_post_schema(request_body: bytes) -> tuple[dict[str
 
 
 @region_silo_endpoint
-class ProjectPreprodSnapshotEndpoint(ProjectEndpoint):
+class OrganizationPreprodSnapshotEndpoint(OrganizationEndpoint):
     owner = ApiOwner.EMERGE_TOOLS
     publish_status = {
         "GET": ApiPublishStatus.EXPERIMENTAL,
-        "POST": ApiPublishStatus.EXPERIMENTAL,
     }
-    permission_classes = (ProjectReleasePermission,)
-
-    rate_limits = RateLimitConfig(
-        limit_overrides={
-            "POST": {
-                RateLimitCategory.ORGANIZATION: RateLimit(limit=100, window=60),
-            }
-        }
-    )
-
-    def get(self, request: Request, project: Project, snapshot_id: str) -> Response:
-        """
-        Retrieves snapshot data including manifest images and VCS info.
-        """
+    permission_classes = (OrganizationReleasePermission,)
 
+    def get(self, request: Request, organization: Organization, snapshot_id: str) -> Response:
         if not settings.IS_DEV and not features.has(
-            "organizations:preprod-snapshots", project.organization, actor=request.user
+            "organizations:preprod-snapshots", organization, actor=request.user
         ):
             return Response({"detail": "Feature not enabled"}, status=403)
 
         try:
             artifact = PreprodArtifact.objects.select_related("commit_comparison").get(
-                id=snapshot_id, project_id=project.id
+                id=snapshot_id, project__organization_id=organization.id
             )
         except PreprodArtifact.DoesNotExist:
             return Response({"detail": "Snapshot not found"}, status=404)
@@ -122,7 +111,7 @@ def get(self, request: Request, project: Project, snapshot_id: str) -> Response:
             return Response({"detail": "Manifest key not found"}, status=404)
 
         try:
-            session = get_preprod_session(project.organization_id, project.id)
+            session = get_preprod_session(organization.id, artifact.project_id)
             get_response = session.get(manifest_key)
             manifest_data = orjson.loads(get_response.payload.read())
             manifest = SnapshotManifest(**manifest_data)
@@ -196,8 +185,8 @@ def get(self, request: Request, project: Project, snapshot_id: str) -> Response:
 
         analytics.record(
             PreprodArtifactApiGetSnapshotDetailsEvent(
-                organization_id=project.organization_id,
-                project_id=project.id,
+                organization_id=organization.id,
+                project_id=artifact.project_id,
                 user_id=request.user.id if request.user and request.user.is_authenticated else None,
                 artifact_id=str(artifact.id),
             )
@@ -269,8 +258,8 @@ def on_results(images: list[SnapshotImageResponse]) -> dict[str, Any]:
             )
 
             result = response.dict()
-            result["org_id"] = str(project.organization_id)
-            result["project_id"] = str(project.id)
+            result["org_id"] = str(organization.id)
+            result["project_id"] = str(artifact.project_id)
             result["comparison_type"] = comparison_type
             if comparison_state is not None:
                 result["comparison_state"] = comparison_state
@@ -286,6 +275,23 @@ def on_results(images: list[SnapshotImageResponse]) -> dict[str, Any]:
             max_per_page=100,
         )
 
+
+@region_silo_endpoint
+class ProjectPreprodSnapshotEndpoint(ProjectEndpoint):
+    owner = ApiOwner.EMERGE_TOOLS
+    publish_status = {
+        "POST": ApiPublishStatus.EXPERIMENTAL,
+    }
+    permission_classes = (ProjectReleasePermission,)
+
+    rate_limits = RateLimitConfig(
+        limit_overrides={
+            "POST": {
+                RateLimitCategory.ORGANIZATION: RateLimit(limit=100, window=60),
+            }
+        }
+    )
+
     def post(self, request: Request, project: Project) -> Response:
         if not settings.IS_DEV and not features.has(
             "organizations:preprod-snapshots", project.organization, actor=request.user

src/sentry/preprod/api/endpoints/urls.py

@@ -27,7 +27,10 @@
     PreprodArtifactRerunAnalysisEndpoint,
 )
 from .preprod_artifact_rerun_status_checks import PreprodArtifactRerunStatusChecksEndpoint
-from .preprod_artifact_snapshot import ProjectPreprodSnapshotEndpoint
+from .preprod_artifact_snapshot import (
+    OrganizationPreprodSnapshotEndpoint,
+    ProjectPreprodSnapshotEndpoint,
+)
 from .preprod_snapshot_recompare import PreprodSnapshotRecompareEndpoint
 from .project_installable_preprod_artifact_download import (
     ProjectInstallablePreprodArtifactDownloadEndpoint,
@@ -76,11 +79,6 @@
         ProjectPreprodUploadOptionsEndpoint.as_view(),
         name="sentry-api-0-project-preprod-snapshots-upload-options",
     ),
-    re_path(
-        r"^(?P<organization_id_or_slug>[^/]+)/(?P<project_id_or_slug>[^/]+)/preprodartifacts/snapshots/(?P<snapshot_id>[^/]+)/$",
-        ProjectPreprodSnapshotEndpoint.as_view(),
-        name="sentry-api-0-project-preprod-snapshots-detail",
-    ),
     re_path(
         r"^(?P<organization_id_or_slug>[^/]+)/(?P<project_id_or_slug>[^/]+)/preprodartifacts/check-for-updates/$",
         ProjectPreprodArtifactCheckForUpdatesEndpoint.as_view(),
@@ -188,6 +186,11 @@
         name="sentry-api-0-organization-preprod-artifact-public-size-analysis",
     ),
     # Snapshots
+    re_path(
+        r"^(?P<organization_id_or_slug>[^/]+)/preprodartifacts/snapshots/(?P<snapshot_id>[^/]+)/$",
+        OrganizationPreprodSnapshotEndpoint.as_view(),
+        name="sentry-api-0-project-preprod-snapshots-detail",
+    ),
     re_path(
         r"^(?P<organization_id_or_slug>[^/]+)/preprodartifacts/snapshots/(?P<snapshot_id>[^/]+)/recompare/$",
         PreprodSnapshotRecompareEndpoint.as_view(),

static/app/router/routes.tsx

@@ -2429,7 +2429,7 @@ function buildRoutes(): RouteObject[] {
       ],
     },
     {
-      path: ':projectSlug/snapshots/:snapshotId/',
+      path: 'snapshots/:snapshotId/',
       component: make(() => import('sentry/views/preprod/snapshots/snapshots')),
     },
     // TODO(EME-735): Remove old routes after backend deployment

static/app/utils/api/knownSentryApiUrls.generated.ts

@@ -474,6 +474,7 @@ export type KnownSentryApiUrls =
   | '/organizations/$organizationIdOrSlug/preprodartifacts/$artifactId/install-details/'
   | '/organizations/$organizationIdOrSlug/preprodartifacts/$artifactId/size-analysis/'
   | '/organizations/$organizationIdOrSlug/preprodartifacts/list-builds/'
+  | '/organizations/$organizationIdOrSlug/preprodartifacts/snapshots/$snapshotId/'
   | '/organizations/$organizationIdOrSlug/preprodartifacts/snapshots/$snapshotId/recompare/'
   | '/organizations/$organizationIdOrSlug/prevent/owner/$owner/repositories/'
   | '/organizations/$organizationIdOrSlug/prevent/owner/$owner/repositories/sync/'
@@ -673,7 +674,6 @@ export type KnownSentryApiUrls =
   | '/projects/$organizationIdOrSlug/$projectIdOrSlug/preprodartifacts/size-analysis/compare/$headArtifactId/$baseArtifactId/'
   | '/projects/$organizationIdOrSlug/$projectIdOrSlug/preprodartifacts/size-analysis/compare/$headSizeMetricId/$baseSizeMetricId/download/'
   | '/projects/$organizationIdOrSlug/$projectIdOrSlug/preprodartifacts/snapshots/'
-  | '/projects/$organizationIdOrSlug/$projectIdOrSlug/preprodartifacts/snapshots/$snapshotId/'
   | '/projects/$organizationIdOrSlug/$projectIdOrSlug/preprodartifacts/snapshots/upload-options/'
   | '/projects/$organizationIdOrSlug/$projectIdOrSlug/processing-errors/'
   | '/projects/$organizationIdOrSlug/$projectIdOrSlug/processing-errors/$uuid/'

static/app/views/preprod/snapshots/main/snapshotMainContent.tsx

@@ -14,7 +14,7 @@ interface SnapshotMainContentProps {
   currentGroupName: string | null;
   onVariantChange: (index: number) => void;
   organizationSlug: string;
-  projectSlug: string;
+  projectId: string;
   variantIndex: number;
 }
 
@@ -24,7 +24,7 @@ export function SnapshotMainContent({
   variantIndex,
   onVariantChange,
   organizationSlug,
-  projectSlug,
+  projectId,
 }: SnapshotMainContentProps) {
   const selectedImage = currentGroupImages[variantIndex];
   if (!currentGroupName || !selectedImage) {
@@ -35,7 +35,7 @@ export function SnapshotMainContent({
     );
   }
 
-  const imageUrl = `/api/0/projects/${organizationSlug}/${projectSlug}/files/images/${selectedImage.key}/`;
+  const imageUrl = `/api/0/projects/${organizationSlug}/${projectId}/files/images/${selectedImage.key}/`;
   const totalVariants = currentGroupImages.length;
   const displayName = selectedImage.display_name ?? selectedImage.image_file_name;
 

static/app/views/preprod/snapshots/snapshots.tsx

@@ -23,9 +23,7 @@ import {SnapshotSidebarContent} from './sidebar/snapshotSidebarContent';
 
 export default function SnapshotsPage() {
   const organization = useOrganization();
-  const {projectId, projectSlug, snapshotId} = useParams<{
-    projectId: string;
-    projectSlug: string;
+  const {snapshotId} = useParams<{
     snapshotId: string;
   }>();
 
@@ -34,19 +32,18 @@ export default function SnapshotsPage() {
       queryKey: [
         'infinite',
         getApiUrl(
-          '/projects/$organizationIdOrSlug/$projectIdOrSlug/preprodartifacts/snapshots/$snapshotId/',
+          '/organizations/$organizationIdOrSlug/preprodartifacts/snapshots/$snapshotId/',
           {
             path: {
               organizationIdOrSlug: organization.slug,
-              projectIdOrSlug: projectSlug,
               snapshotId,
             },
           }
         ),
         {query: {per_page: 20}},
       ],
       staleTime: 0,
-      enabled: !!projectSlug && !!snapshotId,
+      enabled: !!snapshotId,
     });
 
   const [searchQuery, setSearchQuery] = useState('');
@@ -129,7 +126,10 @@ export default function SnapshotsPage() {
     <SentryDocumentTitle title={t('Snapshot')}>
       <Layout.Page>
         <Layout.Header>
-          <SnapshotHeaderContent projectId={projectId} data={firstPageData} />
+          <SnapshotHeaderContent
+            projectId={firstPageData.project_id}
+            data={firstPageData}
+          />
         </Layout.Header>
         <Flex direction="row" gap="0" height="100%" width="100%">
           <SnapshotSidebarContent
@@ -149,7 +149,7 @@ export default function SnapshotsPage() {
             variantIndex={variantIndex}
             onVariantChange={setVariantIndex}
             organizationSlug={organization.slug}
-            projectSlug={projectSlug}
+            projectId={firstPageData.project_id}
           />
         </Flex>
       </Layout.Page>

static/app/views/preprod/types/snapshotTypes.ts

@@ -21,6 +21,7 @@ export interface SnapshotDetailsApiResponse {
   head_artifact_id: string;
   image_count: number;
   images: SnapshotImage[];
+  project_id: string;
   state: string;
   vcs_info: BuildDetailsVcsInfo;
 

tests/sentry/preprod/api/endpoints/test_preprod_artifact_snapshot.py

@@ -23,10 +23,9 @@ def _get_create_url(self):
         )
 
     def _get_detail_url(self, snapshot_id):
-        """URL for GET (retrieving snapshots)"""
         return reverse(
             "sentry-api-0-project-preprod-snapshots-detail",
-            args=[self.org.slug, self.project.slug, snapshot_id],
+            args=[self.org.slug, snapshot_id],
         )
 
     def test_successful_snapshot_upload(self):
@@ -141,9 +140,7 @@ def test_snapshot_with_empty_images(self):
 
     def test_snapshot_missing_required_field(self):
         url = self._get_create_url()
-        data: dict[str, str] = {
-            # Missing images field
-        }
+        data: dict[str, str] = {}
 
         with self.feature("organizations:preprod-snapshots"):
             response = self.client.post(url, data, format="json")
@@ -264,7 +261,7 @@ def setUp(self):
     def _get_detail_url(self, snapshot_id):
         return reverse(
             "sentry-api-0-project-preprod-snapshots-detail",
-            args=[self.org.slug, self.project.slug, snapshot_id],
+            args=[self.org.slug, snapshot_id],
         )
 
     def _create_artifact_with_manifest(self, images=None, commit_comparison=None):
@@ -400,9 +397,10 @@ def test_get_snapshot_not_found(self):
         assert response.status_code == 404
         assert response.data["detail"] == "Snapshot not found"
 
-    def test_get_snapshot_wrong_project(self):
-        """Artifact belonging to a different project should return 404 (IDOR protection)."""
-        other_project = self.create_project(organization=self.org)
+    def test_get_snapshot_wrong_organization(self):
+        """Artifact belonging to a different organization should return 404 (IDOR protection)."""
+        other_org = self.create_organization()
+        other_project = self.create_project(organization=other_org)
         artifact = PreprodArtifact.objects.create(
             project=other_project,
             state=PreprodArtifact.ArtifactState.UPLOADED,