feat(preprod): Add preprod images download endpoint

[rbro112]

Adds a new preprod /files/images/<image_id> endpoint which allows our frontend to download images from an ID with objectstore. First to be used with app icons coming soon.

Tested fully E2E locally and all works well. To work, this is reliant on landing getsentry/launchpad#430 once we get a published version of the objectstore client, but since nobody will be consuming this endpoint until we land the stacked PR (#102118) this is safe to go ahead and merge.

[rbro112]

• feat(preprod): Wireup app icon frontend #102118
• feat(preprod): Add preprod images download endpoint #102117 👈 (View in Graphite)
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

[rbro112]

I didn't change these, I just reordered a few of these to match the .register order below

[codecov]

Codecov Report

❌ Patch coverage is 87.50000% with 6 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/sentry/objectstore/__init__.py	50.00%	3 Missing ⚠️
...od/api/endpoints/project_preprod_artifact_image.py	88.88%	3 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #102117      +/-   ##
===========================================
- Coverage   80.72%    80.62%   -0.11%     
===========================================
  Files        9418      9417       -1     
  Lines      406044    403982    -2062     
  Branches    25662     25662              
===========================================
- Hits       327783    325700    -2083     
- Misses      77792     77813      +21     
  Partials      469       469              

[noahsmartin]

From Jan's comment below it sounds like eventually this can be set on write and we wouldn't have to do it here on read, but this seems ok for now to unblock testing

[rbro112]

Yep, before merge I'll leverage a custom metadata field and we can use the first class one as soon as Jan & team land that.

[rbro112]

There should be helpers for this in the objectstore client now: https://sentry.slack.com/archives/C08S3SK6JEN/p1763139914180699?thread_ts=1762422386.367739&cid=C08S3SK6JEN

[rbro112]

This is related to app icon, not the generic download endpoint, but should be fine to merge as the frontend does not yet use this until #102118 lands

[rbro112]

@jan-auer saw this practice already used for attachments, is this how you all would recommend using a global session?

[lcian]

Yeah. Although you might as well create a dict mapping Usecase -> Client | None to store the usecase and the client, as I can see us adding more of these over time.

[rbro112]

Will do this in a follow up, want to minimize risk for us here so I'd prefer not to touch existing _ATTACHMENTS_CLIENT

[jan-auer]

We should default to using just a single client for all use cases. If you want to play it extra safe in the beginning, that's fine, but eventually I would suggest to maintain one _OBJECTSTORE_CLIENT and simply create separate sessions using that.

[rbro112]

Given the existence of _ATTACHMENTS_CLIENT, I won't modify theirs, but I'll update preprod to use a generic client and create the sessions off of that.

The owner of the attachments client/usecase can update theirs as they wish, but I want to de-risk our impl to avoid breaking other clients.

[cursor]

Bug: Invalid dictionary passed to HttpResponse without JSON serialization

The error response passes a dictionary directly to HttpResponse instead of serializing it to JSON. HttpResponse expects string or bytes content, and will convert the dict to its Python string representation (e.g., "{'error': '...'}") instead of valid JSON. Use json.dumps() to serialize the dictionary first.

 

[cursor]

Bug: Invalid dictionary passed to HttpResponse without JSON serialization

The error response passes a dictionary directly to HttpResponse instead of serializing it to JSON. HttpResponse expects string or bytes content, and will convert the dict to its Python string representation (e.g., "{'error': '...'}") instead of valid JSON. Use json.dumps() to serialize the dictionary first, or use Response from rest_framework.

 

[github-actions]

🚨 Warning: This pull request contains Frontend and Backend changes!

It's discouraged to make changes to Sentry's Frontend and Backend in a single pull request. The Frontend and Backend are not atomically deployed. If the changes are interdependent of each other, they must be separated into two pull requests and be made forward or backwards compatible, such that the Backend or Frontend can be safely deployed independently.

Have questions? Please ask in the #discuss-dev-infra channel.

[jan-auer]

We should default to using just a single client for all use cases. If you want to play it extra safe in the beginning, that's fine, but eventually I would suggest to maintain one _OBJECTSTORE_CLIENT and simply create separate sessions using that.

[jan-auer]

We have a generic endpoint that proxies through to objectstore now (OrganizationObjectstoreEndpoint). What if you issue a temporary redirect (307) instead and let that endpoint do the proxying? This will also include the content-type header.

@lcian we should add a get_proxy_url to sentry.objectstore similar to get_symbolicator_url that outputs the route. That allows us to add the signature once we ship it.

[rbro112]

I'll follow on with this improvement as currently the generic endpoint requires the organizations:objectstore-endpoint, which appears to be limited to just internal testing. Should you all plan to change this sooner, I'm happy to issue the redirect, but this functionality is currently too limited for our usecase.

[rbro112]

Also we can just leverage the generic endpoint from our frontend use-case, but also will suffer from the same limitations of the feature flag here, so once that's enabled for a wider audience I can make that change and just likely remove this endpoint entirely.