Query ArtifactBundles filtered by Project (#48987)

The Lookup query for Artifact Bundles was too open, and would consider
files matching a release in a different project.

src/sentry/api/endpoints/artifact_lookup.py

@@ -13,9 +13,7 @@ from sentry.api.endpoints.debug_files import has_download_permission
 from sentry.api.serializers import serialize
 from sentry.auth.system import is_system_auth
 from sentry.lang.native.sources import get_internal_artifact_lookup_source_url
-from sentry.models import DebugIdArtifactBundle, Distribution, File, Release, ReleaseFile
-from sentry.models.artifactbundle import ReleaseArtifactBundle
-from sentry.models.project import Project
+from sentry.models import ArtifactBundle, Distribution, File, Project, Release, ReleaseFile
 
 logger = logging.getLogger("sentry.api")
 
@@ -148,13 +146,12 @@ class ProjectArtifactLookupEndpoint(ProjectEndpoint):
 def get_artifact_bundles_containing_debug_id(debug_id: str, project: Project) -> Set[int]:
     # We want to have the newest `File` for each `debug_id`.
     return set(
-        DebugIdArtifactBundle.objects.filter(
+        ArtifactBundle.objects.filter(
             organization_id=project.organization.id,
-            debug_id=debug_id,
+            debugidartifactbundle__debug_id=debug_id,
         )
-        .select_related("artifact_bundle__file_id")
-        .values_list("artifact_bundle__file_id", flat=True)
-        .order_by("-artifact_bundle__date_uploaded")[:1]
+        .values_list("file_id", flat=True)
+        .order_by("-date_uploaded")[:1]
     )
 
 
@@ -164,16 +161,16 @@ def get_release_artifacts(
     dist_name: Optional[str],
 ) -> Set[int]:
     return set(
-        ReleaseArtifactBundle.objects.filter(
+        ArtifactBundle.objects.filter(
             organization_id=project.organization.id,
-            release_name=release_name,
+            projectartifactbundle__project_id=project.id,
+            releaseartifactbundle__release_name=release_name,
             # In case no dist is provided, we will fall back to "" which is the NULL equivalent for our tables.
             # See `_create_artifact_bundle` in `src/sentry/tasks/assemble.py` for the reference.
-            dist_name=dist_name or "",
+            releaseartifactbundle__dist_name=dist_name or "",
         )
-        .select_related("artifact_bundle__file_id")
-        .values_list("artifact_bundle__file_id", flat=True)
-        .order_by("-artifact_bundle__date_uploaded")[:MAX_BUNDLES_QUERY]
+        .values_list("file_id", flat=True)
+        .order_by("-date_uploaded")[:MAX_BUNDLES_QUERY]
     )
 
 

tests/sentry/api/endpoints/test_project_artifact_lookup.py

@@ -6,8 +6,15 @@ from uuid import uuid4
 
 from django.urls import reverse
 
-from sentry.models import ArtifactBundle, DebugIdArtifactBundle, File, ReleaseFile, SourceFileType
-from sentry.models.artifactbundle import ReleaseArtifactBundle
+from sentry.models import (
+    ArtifactBundle,
+    DebugIdArtifactBundle,
+    File,
+    ProjectArtifactBundle,
+    ReleaseArtifactBundle,
+    ReleaseFile,
+    SourceFileType,
+)
 from sentry.models.releasefile import read_artifact_index, update_artifact_index
 from sentry.testutils import APITestCase
 from sentry.utils import json
@@ -235,12 +242,22 @@ class ArtifactLookupTest(APITestCase):
             dist_name=dist.name,
             artifact_bundle=artifact_bundle_a,
         )
+        ProjectArtifactBundle.objects.create(
+            organization_id=self.organization.id,
+            project_id=self.project.id,
+            artifact_bundle=artifact_bundle_a,
+        )
         ReleaseArtifactBundle.objects.create(
             organization_id=self.organization.id,
             release_name=self.release.version,
             dist_name=dist.name,
             artifact_bundle=artifact_bundle_b,
         )
+        ProjectArtifactBundle.objects.create(
+            organization_id=self.organization.id,
+            project_id=self.project.id,
+            artifact_bundle=artifact_bundle_b,
+        )
 
         self.login_as(user=self.user)