feat(symbols): Add platform-restricted builtin symbol sources with org access control (#102013)

vaind · priscilawebdev · loewenheim · web-flow · commit 5efb05c3ac21 · 2025-12-01T15:18:42.000+01:00
## Summary Adds support for **platform-restricted builtin symbol sources** with organization-level access control. This enables symbol sources to be restricted to specific platforms (e.g., console platforms like Nintendo Switch) and only accessible to organizations with the appropriate console platform access enabled. **Companion PR**: [getsentry/getsentry#18867](getsentry/getsentry#18867) - Defines the Nintendo symbol source configuration (credentials, bucket settings, etc.) ## Changes ### Platform Filtering for Builtin Sources API - **[builtin_symbol_sources.py](src/sentry/api/endpoints/builtin_symbol_sources.py)**: Add platform-based filtering - Filter sources by `platform` query parameter - Check organization's `enabledConsolePlatforms` access for restricted sources - Backward compatible (works without platform parameter) ### Default Symbol Sources Enhancement - **[default_symbol_sources.py](src/sentry/api/helpers/default_symbol_sources.py)**: Enhanced helper for platform-specific defaults - Added `nintendo-switch` platform mapping to `nintendo` source - Check platform restrictions and org access before adding sources - Organization auto-fetched from project if not provided ### Shared Utility - **[console_platforms.py](src/sentry/utils/console_platforms.py)**: New utility module - `organization_has_console_platform_access()` - checks if org has access to a console platform - Used by both builtin sources endpoint and tempest utils ### Schema Update - **[sources.py](src/sentry/lang/native/sources.py)**: Add `platforms` field to source schema ### Refactoring - **[tempest/utils.py](src/sentry/tempest/utils.py)**: Refactored to use shared `organization_has_console_platform_access` utility - **[team_projects.py](src/sentry/core/endpoints/team_projects.py)**: Pass organization to `set_default_symbol_sources()` ## How It Works ### Platform Restrictions Sources can include a `platforms` key to restrict visibility: ```python "nintendo": { "type": "s3", "platforms": ["nintendo-switch"], # Only visible to nintendo-switch projects # ... other config (defined in getsentry) } ``` **Two-layer filtering:** 1. **Platform match**: Request's platform must match source's `platforms` list 2. **Org access**: Organization must have platform in `enabledConsolePlatforms` ### Default Symbol Sources ```python DEFAULT_SYMBOL_SOURCES = { "electron": ["ios", "microsoft", "electron"], "unity": ["ios", "microsoft", "android", "nuget", "unity", "nvidia", "ubuntu"], "unreal": ["ios", "microsoft", "android", "nvidia", "ubuntu"], "godot": ["ios", "microsoft", "android", "nuget", "nvidia", "ubuntu"], "nintendo-switch": ["nintendo"], } ``` ## Test Plan - [x] Unit tests pass - [x] Pre-commit hooks pass - [x] Mypy type checking passes - [x] Verify Nintendo Switch project in enabled org sees the source - [x] Verify Nintendo Switch project in non-enabled org does NOT see the source - [x] Verify non-Nintendo projects never see the source - [x] Verify public sources still visible to all platforms - [x] Verify API works without platform parameter (backward compatibility) --------- Co-authored-by: Priscila Oliveira <priscilawebdev@gmail.com> Co-authored-by: Sebastian Zivota <loewenheim@users.noreply.github.com>
diff --git a/src/sentry/api/endpoints/builtin_symbol_sources.py b/src/sentry/api/endpoints/builtin_symbol_sources.py
@@ -1,3 +1,5 @@
+from typing import cast
+
 from django.conf import settings
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -6,6 +8,8 @@
 from sentry.api.api_publish_status import ApiPublishStatus
 from sentry.api.base import Endpoint, region_silo_endpoint
 from sentry.api.serializers import serialize
+from sentry.models.organization import Organization
+from sentry.utils.console_platforms import organization_has_console_platform_access
 
 
 def normalize_symbol_source(key, source):
@@ -26,10 +30,36 @@ class BuiltinSymbolSourcesEndpoint(Endpoint):
     permission_classes = ()
 
     def get(self, request: Request, **kwargs) -> Response:
-        sources = [
-            normalize_symbol_source(key, source)
-            for key, source in settings.SENTRY_BUILTIN_SOURCES.items()
-        ]
+        platform = request.GET.get("platform")
+
+        # Get organization if organization context is available
+        organization = None
+        organization_id_or_slug = kwargs.get("organization_id_or_slug")
+        if organization_id_or_slug:
+            try:
+                if str(organization_id_or_slug).isdecimal():
+                    organization = Organization.objects.get_from_cache(id=organization_id_or_slug)
+                else:
+                    organization = Organization.objects.get_from_cache(slug=organization_id_or_slug)
+            except Organization.DoesNotExist:
+                pass
+
+        sources = []
+        for key, source in settings.SENTRY_BUILTIN_SOURCES.items():
+            source_platforms: list[str] | None = cast("list[str] | None", source.get("platforms"))
+
+            # If source has platform restrictions, check if current platform matches
+            if source_platforms is not None:
+                if not platform or platform not in source_platforms:
+                    continue
+
+                # Platform matches - now check if organization has access to this console platform
+                if not organization or not organization_has_console_platform_access(
+                    organization, platform
+                ):
+                    continue
+
+            sources.append(normalize_symbol_source(key, source))
 
         sources.sort(key=lambda s: s["name"])
         return Response(serialize(sources))
diff --git a/src/sentry/api/helpers/default_symbol_sources.py b/src/sentry/api/helpers/default_symbol_sources.py
@@ -1,3 +1,9 @@
+from typing import cast
+
+from django.conf import settings
+
+from sentry.constants import ENABLED_CONSOLE_PLATFORMS_DEFAULT
+from sentry.models.organization import Organization
 from sentry.models.project import Project
 from sentry.projects.services.project import RpcProject
 
@@ -7,11 +13,69 @@
     "unity": ["ios", "microsoft", "android", "nuget", "unity", "nvidia", "ubuntu"],
     "unreal": ["ios", "microsoft", "android", "nvidia", "ubuntu"],
     "godot": ["ios", "microsoft", "android", "nuget", "nvidia", "ubuntu"],
+    "nintendo-switch": ["nintendo"],
 }
 
 
-def set_default_symbol_sources(project: Project | RpcProject) -> None:
-    if project.platform and project.platform in DEFAULT_SYMBOL_SOURCES:
-        project.update_option(
-            "sentry:builtin_symbol_sources", DEFAULT_SYMBOL_SOURCES[project.platform]
-        )
+def set_default_symbol_sources(
+    project: Project | RpcProject, organization: Organization | None = None
+) -> None:
+    """
+    Sets default symbol sources for a project based on its platform.
+
+    For sources with platform restrictions (e.g., console platforms), this function checks
+    if the organization has access to the required platform before adding the source.
+
+    Args:
+        project: The project to configure symbol sources for
+        organization: Optional organization (fetched from project if not provided)
+    """
+    if not project.platform or project.platform not in DEFAULT_SYMBOL_SOURCES:
+        return
+
+    # Get organization from project if not provided
+    if organization is None:
+        if isinstance(project, Project):
+            organization = project.organization
+        else:
+            # For RpcProject, fetch organization by ID
+            try:
+                organization = Organization.objects.get_from_cache(id=project.organization_id)
+            except Organization.DoesNotExist:
+                # If organization doesn't exist, cannot set defaults
+                return
+
+    # Get default sources for this platform
+    source_keys = DEFAULT_SYMBOL_SOURCES[project.platform]
+
+    # Get enabled console platforms once (optimization to avoid repeated DB calls)
+    enabled_console_platforms = organization.get_option(
+        "sentry:enabled_console_platforms", ENABLED_CONSOLE_PLATFORMS_DEFAULT
+    )
+
+    # Filter sources based on platform restrictions and organization access
+    enabled_sources = []
+    for source_key in source_keys:
+        source_config = settings.SENTRY_BUILTIN_SOURCES.get(source_key)
+
+        # If source exists in config, check for platform restrictions
+        if source_config:
+            required_platforms: list[str] | None = cast(
+                "list[str] | None", source_config.get("platforms")
+            )
+            if required_platforms:
+                # Source is platform-restricted - check if org has access
+                # Only add source if org has access to at least one of the required platforms
+                has_access = any(
+                    platform in enabled_console_platforms for platform in required_platforms
+                )
+                if not has_access:
+                    continue
+
+        # Include the source (either it passed platform check or doesn't exist in config)
+        # Non-existent sources will be filtered out at runtime in sources.py
+        enabled_sources.append(source_key)
+
+    # Always update the option for recognized platforms, even if empty
+    # This ensures platform-specific defaults override epoch defaults
+    project.update_option("sentry:builtin_symbol_sources", enabled_sources)
diff --git a/src/sentry/core/endpoints/team_projects.py b/src/sentry/core/endpoints/team_projects.py
@@ -47,7 +47,7 @@ def apply_default_project_settings(organization: Organization, project: Project)
 
     set_default_disabled_detectors(project)
 
-    set_default_symbol_sources(project)
+    set_default_symbol_sources(project, organization)
 
     # Create project option to turn on ML similarity feature for new EA projects
     if project_is_seer_eligible(project):
diff --git a/src/sentry/lang/native/sources.py b/src/sentry/lang/native/sources.py
@@ -86,6 +86,7 @@
     "filters": FILTERS_SCHEMA,
     "is_public": {"type": "boolean"},
     "has_index": {"type": "boolean"},
+    "platforms": {"type": "array", "items": {"type": "string"}},
 }
 
 APP_STORE_CONNECT_SCHEMA = {
diff --git a/src/sentry/projectoptions/defaults.py b/src/sentry/projectoptions/defaults.py
@@ -33,9 +33,10 @@
     epoch_defaults={1: "4.x", 2: "5.x", 7: "6.x", 8: "7.x", 13: "8.x", 14: "9.x", 15: "10.x"},
 )
 
-# Default symbol sources.  The ios source does not exist by default and
-# will be skipped later.  The microsoft source exists by default and is
-# unlikely to be disabled.
+# Default symbol sources. The ios source does not exist by default and
+# will be skipped later. The microsoft source exists by default and is
+# unlikely to be disabled. Platform-specific sources may be added via
+# set_default_symbol_sources() when a project is created.
 register(
     key="sentry:builtin_symbol_sources",
     epoch_defaults={
diff --git a/src/sentry/tempest/utils.py b/src/sentry/tempest/utils.py
@@ -1,12 +1,9 @@
 from sentry.models.organization import Organization
+from sentry.utils.console_platforms import organization_has_console_platform_access
 
 
 def has_tempest_access(organization: Organization | None) -> bool:
-
     if not organization:
         return False
 
-    enabled_platforms = organization.get_option("sentry:enabled_console_platforms", [])
-    has_playstation_access = "playstation" in enabled_platforms
-
-    return has_playstation_access
+    return organization_has_console_platform_access(organization, "playstation")
diff --git a/src/sentry/utils/console_platforms.py b/src/sentry/utils/console_platforms.py
@@ -0,0 +1,19 @@
+from sentry.constants import ENABLED_CONSOLE_PLATFORMS_DEFAULT
+from sentry.models.organization import Organization
+
+
+def organization_has_console_platform_access(organization: Organization, platform: str) -> bool:
+    """
+    Check if an organization has access to a specific console platform.
+
+    Args:
+        organization: The organization to check
+        platform: The console platform (e.g., 'nintendo-switch', 'playstation', 'xbox')
+
+    Returns:
+        True if the organization has access to the console platform, False otherwise
+    """
+    enabled_console_platforms = organization.get_option(
+        "sentry:enabled_console_platforms", ENABLED_CONSOLE_PLATFORMS_DEFAULT
+    )
+    return platform in enabled_console_platforms
diff --git a/tests/sentry/api/endpoints/test_builtin_symbol_sources.py b/tests/sentry/api/endpoints/test_builtin_symbol_sources.py
@@ -1,5 +1,33 @@
+from django.test import override_settings
+
 from sentry.testutils.cases import APITestCase
 
+SENTRY_BUILTIN_SOURCES_PLATFORM_TEST = {
+    "public-source-1": {
+        "id": "sentry:public-1",
+        "name": "Public Source 1",
+        "type": "http",
+        "url": "https://example.com/symbols/",
+    },
+    "public-source-2": {
+        "id": "sentry:public-2",
+        "name": "Public Source 2",
+        "type": "http",
+        "url": "https://example.com/symbols2/",
+    },
+    "nintendo": {
+        "id": "sentry:nintendo",
+        "name": "Nintendo SDK",
+        "type": "s3",
+        "bucket": "nintendo-symbols",
+        "region": "us-east-1",
+        "access_key": "test-key",
+        "secret_key": "test-secret",
+        "layout": {"type": "native"},
+        "platforms": ["nintendo-switch"],
+    },
+}
+
 
 class BuiltinSymbolSourcesNoSlugTest(APITestCase):
     endpoint = "sentry-api-0-builtin-symbol-sources"
@@ -39,3 +67,77 @@ def test_with_slug(self) -> None:
         assert "id" in body[0]
         assert "name" in body[0]
         assert "hidden" in body[0]
+
+
+class BuiltinSymbolSourcesPlatformFilteringTest(APITestCase):
+    endpoint = "sentry-api-0-organization-builtin-symbol-sources"
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.organization = self.create_organization(owner=self.user)
+        self.login_as(user=self.user)
+
+    @override_settings(SENTRY_BUILTIN_SOURCES=SENTRY_BUILTIN_SOURCES_PLATFORM_TEST)
+    def test_platform_filtering_nintendo_switch_with_access(self) -> None:
+        """Nintendo Switch platform should see nintendo source only if org has access"""
+        # Enable nintendo-switch for this organization
+        self.organization.update_option("sentry:enabled_console_platforms", ["nintendo-switch"])
+
+        resp = self.get_response(self.organization.slug, qs_params={"platform": "nintendo-switch"})
+        assert resp.status_code == 200
+
+        body = resp.data
+        source_keys = [source["sentry_key"] for source in body]
+
+        # Nintendo Switch with access should see nintendo
+        assert "nintendo" in source_keys
+        # Should also see public sources (no platform restriction)
+        assert "public-source-1" in source_keys
+        assert "public-source-2" in source_keys
+
+    @override_settings(SENTRY_BUILTIN_SOURCES=SENTRY_BUILTIN_SOURCES_PLATFORM_TEST)
+    def test_platform_filtering_nintendo_switch_without_access(self) -> None:
+        """Nintendo Switch platform should NOT see nintendo if org lacks access"""
+        # Organization does not have nintendo-switch enabled (default is empty list)
+
+        resp = self.get_response(self.organization.slug, qs_params={"platform": "nintendo-switch"})
+        assert resp.status_code == 200
+
+        body = resp.data
+        source_keys = [source["sentry_key"] for source in body]
+
+        # Should NOT see nintendo without console platform access
+        assert "nintendo" not in source_keys
+        # Should still see public sources
+        assert "public-source-1" in source_keys
+        assert "public-source-2" in source_keys
+
+    @override_settings(SENTRY_BUILTIN_SOURCES=SENTRY_BUILTIN_SOURCES_PLATFORM_TEST)
+    def test_platform_filtering_unity(self) -> None:
+        """Unity platform should NOT see nintendo source"""
+        resp = self.get_response(self.organization.slug, qs_params={"platform": "unity"})
+        assert resp.status_code == 200
+
+        body = resp.data
+        source_keys = [source["sentry_key"] for source in body]
+
+        # Unity should see public sources (no platform restriction)
+        assert "public-source-1" in source_keys
+        assert "public-source-2" in source_keys
+        # Unity should NOT see nintendo (restricted to nintendo-switch)
+        assert "nintendo" not in source_keys
+
+    @override_settings(SENTRY_BUILTIN_SOURCES=SENTRY_BUILTIN_SOURCES_PLATFORM_TEST)
+    def test_no_platform_parameter(self) -> None:
+        """Without platform parameter, should see public sources but not platform-restricted ones"""
+        resp = self.get_response(self.organization.slug)
+        assert resp.status_code == 200
+
+        body = resp.data
+        source_keys = [source["sentry_key"] for source in body]
+
+        # Should see public sources (no platform restriction)
+        assert "public-source-1" in source_keys
+        assert "public-source-2" in source_keys
+        # Should NOT see platform-restricted source when no platform is provided
+        assert "nintendo" not in source_keys
diff --git a/tests/sentry/api/helpers/test_default_symbol_sources.py b/tests/sentry/api/helpers/test_default_symbol_sources.py

Original file line number	Diff line number	Diff line change
`@@ -86,6 +86,7 @@`
`86`	`86`	`"filters": FILTERS_SCHEMA,`
`87`	`87`	`"is_public": {"type": "boolean"},`
`88`	`88`	`"has_index": {"type": "boolean"},`
	`89`	`+ "platforms": {"type": "array", "items": {"type": "string"}},`
`89`	`90`	`}`
`90`	`91`
`91`	`92`	`APP_STORE_CONNECT_SCHEMA = {`