feat(snapshots): Authenticate with Objectstore

Cargo.toml

@@ -44,7 +44,7 @@ java-properties = "2.0.0"
 lazy_static = "1.4.0"
 libc = "0.2.139"
 log = { version = "0.4.17", features = ["std"] }
-objectstore-client = { version = "0.1.2" , default-features = false, features = ["native-tls"] }
+objectstore-client = { version = "0.1.6" , default-features = false, features = ["native-tls"] }
 open = "3.2.0"
 parking_lot = "0.12.1"
 percent-encoding = "2.2.0"
@@ -79,7 +79,7 @@ zip = "2.4.2"
 data-encoding = "2.3.3"
 magic_string = "0.3.4"
 chrono-tz = "0.8.4"
-secrecy = "0.8.0"
+secrecy = { version = "0.8.0", features = ["serde"] }
 lru = "0.16.3"
 backon = { version = "1.5.2", features = ["std", "std-blocking-sleep"] }
 

src/api/mod.rs

@@ -33,7 +33,7 @@ use lazy_static::lazy_static;
 use log::{debug, info, warn};
 use parking_lot::Mutex;
 use regex::{Captures, Regex};
-use secrecy::ExposeSecret as _;
+use secrecy::{ExposeSecret as _, SecretString};
 use serde::de::DeserializeOwned;
 use serde::{Deserialize, Serialize};
 use sha1_smol::Digest;
@@ -2065,5 +2065,6 @@ pub struct SnapshotsUploadOptions {
 pub struct ObjectstoreUploadOptions {
     pub url: String,
     pub scopes: Vec<(String, String)>,
+    pub auth_token: Option<SecretString>,
     pub expiration_policy: String,
 }

src/commands/build/snapshots.rs

@@ -295,15 +295,26 @@ fn upload_images(
     let expiration = ExpirationPolicy::from_str(&options.objectstore.expiration_policy)
         .context("Failed to parse expiration policy from upload options")?;
 
-    let client = ClientBuilder::new(options.objectstore.url)
-        .token({
-            // TODO: replace with auth from `ObjectstoreUploadOptions` when appropriate
-            let auth = match authenticated_api.auth() {
-                Auth::Token(token) => token.raw().expose_secret().to_owned(),
-            };
-            auth
+    let mut builder = ClientBuilder::new(options.objectstore.url);
+    if let Some(token) = options.objectstore.auth_token {
+        builder = builder.token(token.expose_secret().to_owned());
+    }
+    let builder = builder;
+
+    let sentry_token = match authenticated_api.auth() {
+        Auth::Token(token) => token.raw().expose_secret().to_owned(),
+    };
+    let sentry_token = format!("Bearer {sentry_token}")
+        .parse()
+        // Ignore original error to avoid leaking the token (even though it's invalid)
+        .map_err(|_| anyhow::anyhow!("Invalid auth token"))?;
+    let client = builder
+        .configure_reqwest(|r| {
+            let mut headers = http::HeaderMap::new();
+            headers.insert(http::header::AUTHORIZATION, sentry_token);
+            r.connect_timeout(Duration::from_secs(10))
+                .default_headers(headers)
         })
-        .configure_reqwest(|r| r.connect_timeout(Duration::from_secs(10)))
         .build()?;
 
     let mut scope = Usecase::new("preprod").scope();
@@ -400,7 +411,7 @@ fn upload_images(
         warn!("Some images share identical file names. Only the first occurrence of each is included:{details}");
     }
 
-    let result = runtime.block_on(async { many_builder.send().error_for_failures().await });
+    let result = runtime.block_on(async { many_builder.send().await.error_for_failures().await });
 
     let uploaded_count = manifest_entries.len();