smart_proxy_container_gateway 1.2.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3d41b324aaa36809e103fc5a20cf934ed6821825355d6968e140f1ec1135c347
-  data.tar.gz: 645b65950210122681aed76963da3a95cb48ef75284c139046c992ff49bfa30f
+  metadata.gz: bb4e40d814ff330008ad5f1bf4bf667ba9e91415bc997ea4d66a2beb7fb0a00e
+  data.tar.gz: 84360d1228198e91460a2b841985b12c5c9f5d5d062d191862a2e9cc5bef10e9
 SHA512:
-  metadata.gz: 012b85b6a699b3f3887d3ec69e2995aa230c26be432c4353052946065135cfe5496dac8d27a4c7d3e5533f40dcc6c584fae81e22b695ea7af8e8087b6e80ddc3
-  data.tar.gz: 0a1ce283eb9b6fbbb9ec3360a16b7b76107b9f294ba3d5a58cac0e9147c94a672643de50027d4086a4701ee01a1c52311f2120b8bbb74f2b870f9a0e7764eba5
+  metadata.gz: 37997d8de598e480912ecc0785fc755138aa90163dcb20981210eff4a935ae85a49a157b8c51189a6a13a6a29a1ff391429e477257d466b0b9d0d19d04d33fcd
+  data.tar.gz: 5a81a246030ed8d9fcd7b847c30fb241c2974e203ae09b256a017432cffa549073430a203e5d6231f55527db005237477a4903482c88ddad47e4c2ca894f8def

data/README.md

@@ -35,11 +35,22 @@ The Container Gateway plugin requires a Pulp 3 instance to connect to.  Related
 
 # Database information
 
-SQLite database migrations are completely automated.  The plugin checks if the database is up-to-date before each query.
+SQLite and PostgreSQL are supported, with SQLite being the default for development and testing.
+Use PostgreSQL in production for improved performance by adding the following settings:
+```
+# Example PostgreSQL connection settings, using UNIX socket and ident auth
+:db_connection_string: postgres:///container_gateway
+```
+
+When switching from SQLite to PostgreSQL, if the PostgreSQL database is empty, the SQLite database will be automatically migrated to PostgreSQL.
+For the migration to work, the sqlite_db_path setting must point to the old SQLite database file if the default (no setting definition) was not used.
+The SQLite database file will be deleted after the migration to PostgreSQL is complete.
+
+Database migrations are completely automated.  The plugin checks if the database is up-to-date at initialization time.
 
 # Katello interaction
 
-Auth information is retrieved from the Katello server during smart proxy sync time and cached in the SQLite database.
+Auth information is retrieved from the Katello server during smart proxy sync time and cached in the database.
 
 Logging in with a container client will cause the Container Gateway to fetch a token from Katello using the login information.
 

data/lib/smart_proxy_container_gateway/container_gateway.rb

@@ -7,7 +7,6 @@ module Proxy
 
       default_settings :pulp_endpoint => "https://#{`hostname`.strip}",
                        :katello_registry_path => '/v2/',
-                       :sqlite_db_path => '/var/lib/foreman-proxy/smart_proxy_container_gateway.db',
                        :sqlite_timeout => 30_000
 
       # Load defaults that copy values from SETTINGS. This is done as
@@ -25,6 +24,27 @@ module Proxy
       validate :pulp_endpoint, url: true
 
       rackup_path File.join(__dir__, 'container_gateway_http_config.ru')
+
+      load_dependency_injection_wirings do |container_instance, settings|
+        container_instance.singleton_dependency :database_impl, (lambda do
+          connection_string = settings.fetch(:db_connection_string) do
+            unless settings[:sqlite_db_path]
+              raise ValueError, 'Missing db_connection_string or sqlite_db_path option'
+            end
+
+            # Legacy setup
+            "sqlite://#{settings[:sqlite_db_path]}?timeout=#{settings[:sqlite_timeout]}"
+          end
+
+          Proxy::ContainerGateway::Database.new(connection_string, settings[:sqlite_db_path])
+        end)
+        container_instance.singleton_dependency :container_gateway_main_impl, (lambda do
+          Proxy::ContainerGateway::ContainerGatewayMain.new(
+            database: container_instance.get_dependency(:database_impl),
+            **settings.slice(:pulp_endpoint, :pulp_client_ssl_ca, :pulp_client_ssl_cert, :pulp_client_ssl_key)
+          )
+        end)
+      end
     end
   end
 end

data/lib/smart_proxy_container_gateway/container_gateway_api.rb

@@ -6,7 +6,6 @@ require 'sinatra'
 require 'smart_proxy_container_gateway/container_gateway'
 require 'smart_proxy_container_gateway/container_gateway_main'
 require 'smart_proxy_container_gateway/foreman_api'
-require 'sqlite3'
 
 module Proxy
   module ContainerGateway
@@ -14,15 +13,23 @@ module Proxy
       include ::Proxy::Log
       helpers ::Proxy::Helpers
       helpers ::Sinatra::Authorization::Helpers
+      extend ::Proxy::ContainerGateway::DependencyInjection
+
+      inject_attr :database_impl, :database
+      inject_attr :container_gateway_main_impl, :container_gateway_main
 
       get '/v1/_ping/?' do
-        Proxy::ContainerGateway.ping
+        pulp_response = container_gateway_main.ping(translated_headers_for_proxy)
+        status pulp_response.code.to_i
+        body pulp_response.body
       end
 
       get '/v2/?' do
         if auth_header.present? && (auth_header.unauthorized_token? || auth_header.valid_user_token?)
           response.headers['Docker-Distribution-API-Version'] = 'registry/2.0'
-          Proxy::ContainerGateway.ping
+          pulp_response = container_gateway_main.ping(translated_headers_for_proxy)
+          status pulp_response.code.to_i
+          body pulp_response.body
         else
           redirect_authorization_headers
           halt 401, "unauthorized"
@@ -33,22 +40,34 @@ module Proxy
         repository = params[:splat][0]
         tag = params[:splat][1]
         handle_repo_auth(repository, auth_header, request)
-        redirection_location = Proxy::ContainerGateway.manifests(repository, tag)
-        redirect to(redirection_location)
+        pulp_response = container_gateway_main.manifests(repository, tag, translated_headers_for_proxy)
+        if pulp_response.code.to_i >= 400
+          status pulp_response.code.to_i
+          body pulp_response.body
+        else
+          redirection_location = pulp_response['location']
+          redirect to(redirection_location)
+        end
       end
 
       get '/v2/*/blobs/*/?' do
         repository = params[:splat][0]
         digest = params[:splat][1]
         handle_repo_auth(repository, auth_header, request)
-        redirection_location = Proxy::ContainerGateway.blobs(repository, digest)
-        redirect to(redirection_location)
+        pulp_response = container_gateway_main.blobs(repository, digest, translated_headers_for_proxy)
+        if pulp_response.code.to_i >= 400
+          status pulp_response.code.to_i
+          body pulp_response.body
+        else
+          redirection_location = pulp_response['location']
+          redirect to(redirection_location)
+        end
       end
 
       get '/v2/*/tags/list/?' do
         repository = params[:splat][0]
         handle_repo_auth(repository, auth_header, request)
-        pulp_response = Proxy::ContainerGateway.tags(repository, params)
+        pulp_response = container_gateway_main.tags(repository, translated_headers_for_proxy, params)
         # "link"=>["<http://pulpcore-api/v2/container-image-name/tags/list?n=100&last=last-tag-name>; rel=\"next\""],
         # https://docs.docker.com/registry/spec/api/#pagination-1
         if pulp_response['link'].nil?
@@ -56,7 +75,8 @@ module Proxy
         else
           headers['link'] = pulp_response['link']
         end
-        pulp_response.body
+        status pulp_response.code.to_i
+        body pulp_response.body
       end
 
       get '/v1/search/?' do
@@ -74,19 +94,23 @@ module Proxy
           end
           params[:user] = username
         end
-        repositories = Proxy::ContainerGateway.v1_search(params)
+        repositories = container_gateway_main.v1_search(params)
 
         content_type :json
-        { num_results: repositories.size, query: params[:q], results: repositories }.to_json
+        {
+          num_results: repositories.size,
+          query: params[:q],
+          results: repositories.map { |repo_name| { description: '', name: repo_name } }
+        }.to_json
       end
 
       get '/v2/_catalog/?' do
         catalog = []
         if auth_header.present?
           if auth_header.unauthorized_token?
-            catalog = Proxy::ContainerGateway.catalog
+            catalog = container_gateway_main.catalog.select_map(::Sequel[:repositories][:name])
           elsif auth_header.valid_user_token?
-            catalog = Proxy::ContainerGateway.catalog(auth_header.user)
+            catalog = container_gateway_main.catalog(auth_header.user).select_map(::Sequel[:repositories][:name])
           else
             redirect_authorization_headers
             halt 401, "unauthorized"
@@ -131,7 +155,7 @@ module Proxy
           expires_in = token_response_body.fetch("expires_in", 60)
           expires_at = token_issue_time + expires_in.seconds
 
-          ContainerGateway.insert_token(
+          container_gateway_main.insert_token(
             request.params['account'],
             token_response_body['token'],
             expires_at.rfc3339
@@ -141,8 +165,8 @@ module Proxy
           if repo_response.code.to_i != 200
             halt repo_response.code.to_i, repo_response.body
           else
-            ContainerGateway.update_user_repositories(request.params['account'],
-                                                      JSON.parse(repo_response.body)['repositories'])
+            container_gateway_main.update_user_repositories(request.params['account'],
+                                                            JSON.parse(repo_response.body)['repositories'])
           end
 
           # Return the original token response from Katello
@@ -154,13 +178,13 @@ module Proxy
         do_authorize_any
 
         content_type :json
-        { users: User.map(:name) }.to_json
+        { users: database.connection[:users].map(:name) }.to_json
       end
 
       put '/user_repository_mapping/?' do
         do_authorize_any
 
-        ContainerGateway.update_user_repo_mapping(params)
+        container_gateway_main.update_user_repo_mapping(params)
         {}
       end
 
@@ -168,22 +192,32 @@ module Proxy
         do_authorize_any
 
         repositories = params['repositories'].nil? ? [] : params['repositories']
-        ContainerGateway.update_repository_list(repositories)
+        container_gateway_main.update_repository_list(repositories)
         {}
       end
 
       private
 
+      def translated_headers_for_proxy
+        current_headers = {}
+        env = request.env.select do |key, _value|
+          key.match("^HTTP_.*")
+        end
+        env.each do |header|
+          current_headers[header[0].split('_')[1..].join('-')] = header[1]
+        end
+        current_headers
+      end
+
       def handle_repo_auth(repository, auth_header, request)
         user_token_is_valid = false
-        # FIXME: Getting unauthenticated token here...
         if auth_header.present? && auth_header.valid_user_token?
           user_token_is_valid = true
-          username = auth_header.user.name
+          username = auth_header.user[:name]
         end
         username = request.params['account'] if username.nil?
 
-        return if Proxy::ContainerGateway.authorized_for_repo?(repository, user_token_is_valid, username)
+        return if container_gateway_main.authorized_for_repo?(repository, user_token_is_valid, username)
 
         redirect_authorization_headers
         halt 401, "unauthorized"
@@ -201,6 +235,10 @@ module Proxy
       end
 
       class AuthorizationHeader
+        extend ::Proxy::ContainerGateway::DependencyInjection
+
+        inject_attr :database_impl, :database
+        inject_attr :container_gateway_main_impl, :container_gateway_main
         UNAUTHORIZED_TOKEN = 'unauthorized'.freeze
 
         def initialize(value)
@@ -208,11 +246,11 @@ module Proxy
         end
 
         def user
-          ContainerGateway.token_user(@value.split(' ')[1])
+          container_gateway_main.token_user(@value.split(' ')[1])
         end
 
         def valid_user_token?
-          token_auth? && ContainerGateway.valid_token?(@value.split(' ')[1])
+          token_auth? && container_gateway_main.valid_token?(@value.split(' ')[1])
         end
 
         def raw_header

data/lib/smart_proxy_container_gateway/container_gateway_main.rb

@@ -1,47 +1,62 @@
 require 'net/http'
 require 'uri'
 require 'digest'
+require 'smart_proxy_container_gateway/dependency_injection'
 require 'sequel'
 module Proxy
   module ContainerGateway
     extend ::Proxy::Util
     extend ::Proxy::Log
 
-    class << self
-      Sequel.extension :migration, :core_extensions
-      def pulp_registry_request(uri)
+    class ContainerGatewayMain
+      attr_reader :database
+
+      def initialize(database:, pulp_endpoint:, pulp_client_ssl_ca:, pulp_client_ssl_cert:, pulp_client_ssl_key:)
+        @database = database
+        @pulp_endpoint = pulp_endpoint
+        @pulp_client_ssl_ca = pulp_client_ssl_ca
+        @pulp_client_ssl_cert = OpenSSL::X509::Certificate.new(File.read(pulp_client_ssl_cert))
+        @pulp_client_ssl_key = OpenSSL::PKey::RSA.new(
+          File.read(pulp_client_ssl_key)
+        )
+      end
+
+      def pulp_registry_request(uri, headers)
         http_client = Net::HTTP.new(uri.host, uri.port)
-        http_client.ca_file = pulp_ca
-        http_client.cert = pulp_cert
-        http_client.key = pulp_key
+        http_client.ca_file = @pulp_client_ssl_ca
+        http_client.cert = @pulp_client_ssl_cert
+        http_client.key = @pulp_client_ssl_key
         http_client.use_ssl = true
 
         http_client.start do |http|
           request = Net::HTTP::Get.new uri
+          headers.each do |key, value|
+            request[key] = value
+          end
           http.request request
         end
       end
 
-      def ping
-        uri = URI.parse("#{Proxy::ContainerGateway::Plugin.settings.pulp_endpoint}/pulpcore_registry/v2/")
-        pulp_registry_request(uri).body
+      def ping(headers)
+        uri = URI.parse("#{@pulp_endpoint}/pulpcore_registry/v2/")
+        pulp_registry_request(uri, headers)
       end
 
-      def manifests(repository, tag)
+      def manifests(repository, tag, headers)
         uri = URI.parse(
-          "#{Proxy::ContainerGateway::Plugin.settings.pulp_endpoint}/pulpcore_registry/v2/#{repository}/manifests/#{tag}"
+          "#{@pulp_endpoint}/pulpcore_registry/v2/#{repository}/manifests/#{tag}"
         )
-        pulp_registry_request(uri)['location']
+        pulp_registry_request(uri, headers)
       end
 
-      def blobs(repository, digest)
+      def blobs(repository, digest, headers)
         uri = URI.parse(
-          "#{Proxy::ContainerGateway::Plugin.settings.pulp_endpoint}/pulpcore_registry/v2/#{repository}/blobs/#{digest}"
+          "#{@pulp_endpoint}/pulpcore_registry/v2/#{repository}/blobs/#{digest}"
         )
-        pulp_registry_request(uri)['location']
+        pulp_registry_request(uri, headers)
       end
 
-      def tags(repository, params = {})
+      def tags(repository, headers, params = {})
         query = "?"
         unless params[:n].nil? || params[:n] == ""
           query = "#{query}n=#{params[:n]}"
@@ -50,51 +65,54 @@ module Proxy
         query = "#{query}last=#{params[:last]}" unless params[:last].nil? || params[:last] == ""
 
         uri = URI.parse(
-          "#{Proxy::ContainerGateway::Plugin.settings.pulp_endpoint}/pulpcore_registry/v2/#{repository}/tags/list#{query}"
+          "#{@pulp_endpoint}/pulpcore_registry/v2/#{repository}/tags/list#{query}"
         )
-        pulp_registry_request(uri)
+        pulp_registry_request(uri, headers)
       end
 
       def v1_search(params = {})
         if params[:n].nil? || params[:n] == ""
-          params[:n] = 25
+          limit = 25
         else
-          params[:n] = params[:n].to_i
+          limit = params[:n].to_i
         end
+        return [] unless limit.positive?
 
-        repo_count = 0
-        repositories = []
-        user = params[:user].nil? ? nil : User.find(name: params[:user])
-        Proxy::ContainerGateway.catalog(user).each do |repo_name|
-          break if repo_count >= params[:n]
+        query = params[:q]
+        query = nil if query == ''
 
-          if params[:q].nil? || params[:q] == "" || repo_name.include?(params[:q])
-            repo_count += 1
-            repositories << { name: repo_name }
-          end
-        end
-        repositories
+        user = params[:user].nil? ? nil : database.connection[:users][{ name: params[:user] }]
+
+        repositories = query ? catalog(user).grep(:name, "%#{query}%") : catalog(user)
+        repositories.limit(limit).select_map(::Sequel[:repositories][:name])
       end
 
       def catalog(user = nil)
         if user.nil?
           unauthenticated_repos
         else
-          (unauthenticated_repos + user.repositories_dataset.map(:name)).sort
+          database.connection[:repositories].
+            left_join(:repositories_users, repository_id: :id).
+            left_join(:users, ::Sequel[:users][:id] => :user_id).where(user_id: user[:id]).
+            or(Sequel[:repositories][:auth_required] => false).order(::Sequel[:repositories][:name])
         end
       end
 
       def unauthenticated_repos
-        Repository.where(auth_required: false).order(:name).map(:name)
+        database.connection[:repositories].where(auth_required: false).order(:name)
       end
 
       # Replaces the entire list of repositories
       def update_repository_list(repo_list)
-        RepositoryUser.dataset.delete
-        Repository.dataset.delete
-        repo_list.each do |repo|
-          Repository.find_or_create(name: repo['repository'],
-                                    auth_required: repo['auth_required'].to_s.downcase == "true")
+        # repositories_users cascades on deleting repositories (or users)
+        database.connection.transaction(isolation: :serializable, retry_on: [Sequel::SerializationFailure]) do
+          repository = database.connection[:repositories]
+          repository.delete
+
+          repository.import(
+            %i[name auth_required],
+            repo_list.map { |repo| [repo['repository'], repo['auth_required'].to_s.downcase == "true"] }
+          )
         end
       end
 
@@ -103,122 +121,95 @@ module Proxy
         # Get hash map of all users and their repositories
         # Ex: {"users"=> [{"admin"=>[{"repository"=>"repo", "auth_required"=>"true"}]}]}
         # Go through list of repositories and add them to the DB
-        RepositoryUser.dataset.delete
-        user_repo_maps['users'].each do |user_repo_map|
-          user_repo_map.each do |user, repos|
-            next if repos.nil?
-
-            repos.each do |repo|
-              found_repo = Repository.find(name: repo['repository'],
-                                           auth_required: repo['auth_required'].to_s.downcase == "true")
-              if found_repo.nil?
-                logger.warn("#{repo['repository']} does not exist in this smart proxy's environments")
-              elsif found_repo.auth_required
-                found_repo.add_user(User.find(name: user))
-              end
+        repositories = database.connection[:repositories]
+
+        entries = user_repo_maps['users'].flat_map do |user_repo_map|
+          user_repo_map.filter_map do |username, repos|
+            user_repo_names = repos.filter { |repo| repo['auth_required'].to_s.downcase == "true" }.map do |repo|
+              repo['repository']
             end
+            user = database.connection[:users][{ name: username }]
+            repositories.where(name: user_repo_names, auth_required: true).select(:id).map { |repo| [repo[:id], user[:id]] }
           end
         end
+        entries.flatten!(1)
+
+        repositories_users = database.connection[:repositories_users]
+        database.connection.transaction(isolation: :serializable, retry_on: [Sequel::SerializationFailure]) do
+          repositories_users.delete
+          repositories_users.import(%i[repository_id user_id], entries)
+        end
       end
 
       # Replaces the user-repo mapping for a single user
       def update_user_repositories(username, repositories)
-        user = User.where(name: username).first
-        user.remove_all_repositories
-        repositories.each do |repo_name|
-          found_repo = Repository.find(name: repo_name)
-          if found_repo.nil?
-            logger.warn("#{repo_name} does not exist in this smart proxy's environments")
-          elsif user.repositories_dataset.where(name: repo_name).first.nil? && found_repo.auth_required
-            user.add_repository(found_repo)
-          end
+        user = database.connection[:users][{ name: username }]
+
+        user_repositories = database.connection[:repositories_users]
+        database.connection.transaction(isolation: :serializable,
+                                        retry_on: [Sequel::SerializationFailure],
+                                        num_retries: 10) do
+          user_repositories.where(user_id: user[:id]).delete
+
+          user_repositories.import(
+            %i[repository_id user_id],
+            database.connection[:repositories].where(name: repositories, auth_required: true).select(:id).map do |repo|
+              [repo[:id], user[:id]]
+            end
+          )
         end
       end
 
       def authorized_for_repo?(repo_name, user_token_is_valid, username = nil)
-        repository = Repository.where(name: repo_name).first
+        repository = database.connection[:repositories][{ name: repo_name }]
 
         # Repository doesn't exist
         return false if repository.nil?
 
         # Repository doesn't require auth
-        return true unless repository.auth_required
+        return true unless repository[:auth_required]
 
-        if username && user_token_is_valid && repository.auth_required
+        if username && user_token_is_valid
           # User is logged in and has access to the repository
-          user = User.find(name: username)
-          return !user.repositories_dataset.where(name: repo_name).first.nil?
+          return !database.connection[:repositories_users].where(
+            repository_id: repository[:id], user_id: database.connection[:users].first(name: username)[:id]
+          ).empty?
         end
 
         false
       end
 
       def token_user(token)
-        User[AuthenticationToken.find(token_checksum: Digest::SHA256.hexdigest(token)).user_id]
+        database.connection[:users][{
+          id: database.connection[:authentication_tokens].where(token_checksum: checksum(token)).select(:user_id)
+        }]
       end
 
       def valid_token?(token)
-        AuthenticationToken.where(token_checksum: Digest::SHA256.hexdigest(token)).where do
+        !database.connection[:authentication_tokens].where(token_checksum: checksum(token)).where do
           expire_at > Sequel::CURRENT_TIMESTAMP
-        end.count.positive?
+        end.empty?
       end
 
       def insert_token(username, token, expire_at_string, clear_expired_tokens: true)
         checksum = Digest::SHA256.hexdigest(token)
-        user = User.find_or_create(name: username)
-
-        AuthenticationToken.where(:token_checksum => checksum).delete
-        AuthenticationToken.create(token_checksum: checksum, expire_at: expire_at_string.to_s, user_id: user.id)
-        AuthenticationToken.where { expire_at < Sequel::CURRENT_TIMESTAMP }.delete if clear_expired_tokens
-      end
-
-      def initialize_db
-        file_path = Proxy::ContainerGateway::Plugin.settings.sqlite_db_path
-        sqlite_timeout = Proxy::ContainerGateway::Plugin.settings.sqlite_timeout
-        conn = Sequel.connect("sqlite://#{file_path}", timeout: sqlite_timeout)
-        container_gateway_path = $LOAD_PATH.detect { |path| path.include? 'smart_proxy_container_gateway' }
-        begin
-          Sequel::Migrator.check_current(conn, "#{container_gateway_path}/smart_proxy_container_gateway/sequel_migrations")
-        rescue Sequel::Migrator::NotCurrentError
-          migrate_db(conn, container_gateway_path)
-        end
-        conn
-      end
+        user = Sequel::Model(database.connection[:users]).find_or_create(name: username)
 
-      private
-
-      def migrate_db(db_connection, container_gateway_path)
-        Sequel::Migrator.run(db_connection, "#{container_gateway_path}/smart_proxy_container_gateway/sequel_migrations")
-      end
+        database.connection.transaction(isolation: :serializable, retry_on: [Sequel::SerializationFailure]) do
+          database.connection[:authentication_tokens].where(:token_checksum => checksum).delete
+          Sequel::Model(database.connection[:authentication_tokens]).
+            create(token_checksum: checksum, expire_at: expire_at_string.to_s, user_id: user.id)
+          return unless clear_expired_tokens
 
-      def pulp_ca
-        Proxy::ContainerGateway::Plugin.settings.pulp_client_ssl_ca
+          database.connection[:authentication_tokens].where { expire_at < Sequel::CURRENT_TIMESTAMP }.delete
+        end
       end
 
-      def pulp_cert
-        OpenSSL::X509::Certificate.new(File.read(Proxy::ContainerGateway::Plugin.settings.pulp_client_ssl_cert))
-      end
+      private
 
-      def pulp_key
-        OpenSSL::PKey::RSA.new(
-          File.read(Proxy::ContainerGateway::Plugin.settings.pulp_client_ssl_key)
-        )
+      def checksum(token)
+        Digest::SHA256.hexdigest(token)
       end
     end
-
-    class Repository < ::Sequel::Model(Proxy::ContainerGateway.initialize_db[:repositories])
-      many_to_many :users
-    end
-
-    class User < ::Sequel::Model(Proxy::ContainerGateway.initialize_db[:users])
-      many_to_many :repositories
-      one_to_many :authentication_tokens
-    end
-
-    class RepositoryUser < ::Sequel::Model(Proxy::ContainerGateway.initialize_db[:repositories_users]); end
-
-    class AuthenticationToken < ::Sequel::Model(Proxy::ContainerGateway.initialize_db[:authentication_tokens])
-      many_to_one :users
-    end
   end
 end

data/lib/smart_proxy_container_gateway/database.rb

@@ -0,0 +1,46 @@
+require 'sequel'
+module Proxy
+  module ContainerGateway
+    class Database
+      attr_reader :connection
+
+      def initialize(connection_string, prior_sqlite_db_path = nil)
+        @connection = Sequel.connect(connection_string)
+        if connection_string.start_with?('sqlite://')
+          @connection.run("PRAGMA foreign_keys = ON;")
+          @connection.run("PRAGMA journal_mode = wal;")
+        elsif prior_sqlite_db_path && File.exist?(prior_sqlite_db_path) &&
+              (!@connection.table_exists?(:repositories) || @connection[:repositories].count.zero?)
+          migrate_to_postgres(Sequel.sqlite(prior_sqlite_db_path), @connection)
+          File.delete(prior_sqlite_db_path)
+        end
+        migrate
+      end
+
+      private
+
+      def migrate
+        Sequel.extension :migration, :core_extensions
+        migration_path = File.join(__dir__, 'sequel_migrations')
+        begin
+          Sequel::Migrator.check_current(@connection, migration_path)
+        rescue Sequel::Migrator::NotCurrentError
+          Sequel::Migrator.run(@connection, migration_path)
+        end
+      end
+
+      def migrate_to_postgres(sqlite_db, postgres_db)
+        migrate
+        sqlite_db.transaction do
+          sqlite_db.tables.each do |table|
+            next if table == :schema_info
+
+            sqlite_db[table].each do |row|
+              postgres_db[table.to_sym].insert(row)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/smart_proxy_container_gateway/dependency_injection.rb

@@ -0,0 +1,10 @@
+module Proxy
+  module ContainerGateway
+    module DependencyInjection
+      include Proxy::DependencyInjection::Accessors
+      def container_instance
+        @container_instance ||= ::Proxy::Plugins.instance.find { |p| p[:name] == :container_gateway }[:di_container]
+      end
+    end
+  end
+end

data/lib/smart_proxy_container_gateway/sequel_migrations/003_authorization_reorg.rb

@@ -25,8 +25,8 @@ Sequel.migration do
     end
 
     # Populate the new user_id foreign key for all authentication_tokens
-    from(:authentication_tokens).insert([:user_id],
-                                        from(:users).select(:id).where(name: self[:authentication_tokens][:username]))
+    from(:authentication_tokens).
+      update(user_id: from(:users).select(:id).where(name: Sequel[:authentication_tokens][:username]))
 
     alter_table(:authentication_tokens) do
       drop_column :username

data/lib/smart_proxy_container_gateway/sequel_migrations/004_users_repositories_cascade_delete.rb

@@ -0,0 +1,28 @@
+Sequel.migration do
+  up do
+    # SQLite does not support dropping columns until version 3.35, which is not in the EL8 ecosystem as of March, 2024.
+    create_table(:repositories_users2) do
+      foreign_key :repository_id, :repositories, on_delete: :cascade
+      foreign_key :user_id, :users, on_delete: :cascade
+      primary_key %i[repository_id user_id]
+      index %i[repository_id user_id]
+    end
+    run "INSERT INTO repositories_users2(repository_id, user_id) SELECT repository_id, user_id from repositories_users"
+
+    drop_table(:repositories_users)
+    rename_table(:repositories_users2, :repositories_users)
+  end
+
+  down do
+    create_table(:repositories_users2) do
+      foreign_key :repository_id, :repositories
+      foreign_key :user_id, :users
+      primary_key %i[repository_id user_id]
+      index %i[repository_id user_id]
+    end
+    run "INSERT INTO repositories_users2(repository_id, user_id) SELECT repository_id, user_id from repositories_users"
+
+    drop_table(:repositories_users)
+    rename_table(:repositories_users2, :repositories_users)
+  end
+end

data/lib/smart_proxy_container_gateway/version.rb

@@ -1,5 +1,5 @@
 module Proxy
   module ContainerGateway
-    VERSION = '1.2.0'.freeze
+    VERSION = '3.0.0'.freeze
   end
 end

data/lib/smart_proxy_container_gateway.rb

@@ -1,2 +1,4 @@
 require 'smart_proxy_container_gateway/version'
+require 'smart_proxy_container_gateway/database'
 require 'smart_proxy_container_gateway/container_gateway'
+require 'smart_proxy_container_gateway/container_gateway_main'

data/settings.d/container_gateway.yml.example

@@ -1,10 +1,16 @@
 ---
 :enabled: true
-:pulp_endpoint: 'https://your_pulp_3_server_here.com'
-:pulp_client_ssl_ca: 'CA Cert for authenticating with Pulp'
-:pulp_client_ssl_cert: 'X509 certificate for authenticating with Pulp'
-:pulp_client_ssl_key: 'RSA private key for the Pulp certificate'
-:katello_registry_path: 'Katello container registry suffix, e.g., /v2/'
-:sqlite_db_path: '/var/lib/foreman-proxy/smart_proxy_container_gateway.db'
+
+#:pulp_endpoint: 'https://pulp3.example.com'
+#:pulp_client_ssl_ca: '/path/to/ca.pem'
+#:pulp_client_ssl_cert: '/path/to/cert.pem'
+#:pulp_client_ssl_key: '/path/to/key.pem'
+
+#:katello_registry_path: '/v2/'
+
+#:db_connection_string: postgresql:///container_gateway
+
+# Legacy options
+#:sqlite_db_path: '/var/lib/foreman-proxy/smart_proxy_container_gateway.db'
 # Database busy timeout in milliseconds
-:sqlite_timeout: 30000
+#:sqlite_timeout: 30000

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_proxy_container_gateway
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 3.0.0
 platform: ruby
 authors:
 - Ian Ballou
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-01-09 00:00:00.000000000 Z
+date: 2024-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: pg
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: sequel
   requirement: !ruby/object:Gem::Requirement
@@ -68,10 +82,13 @@ files:
 - lib/smart_proxy_container_gateway/container_gateway_api.rb
 - lib/smart_proxy_container_gateway/container_gateway_http_config.ru
 - lib/smart_proxy_container_gateway/container_gateway_main.rb
+- lib/smart_proxy_container_gateway/database.rb
+- lib/smart_proxy_container_gateway/dependency_injection.rb
 - lib/smart_proxy_container_gateway/foreman_api.rb
 - lib/smart_proxy_container_gateway/sequel_migrations/001_initial.rb
 - lib/smart_proxy_container_gateway/sequel_migrations/002_auth_tokens.rb
 - lib/smart_proxy_container_gateway/sequel_migrations/003_authorization_reorg.rb
+- lib/smart_proxy_container_gateway/sequel_migrations/004_users_repositories_cascade_delete.rb
 - lib/smart_proxy_container_gateway/version.rb
 - settings.d/container_gateway.yml.example
 homepage: https://github.com/Katello/smart_proxy_container_gateway
@@ -93,7 +110,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.4.21
 signing_key:
 specification_version: 4
 summary: Pulp 3 container registry support for Foreman/Katello Smart-Proxy