RubyGems - smart_proxy_container_gateway - Versions diffs - 1.2.0 → 3.0.0 - Mend

smart_proxy_container_gateway 1.2.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

checksums.yaml +4 -4
data/README.md +13 -2
data/lib/smart_proxy_container_gateway/container_gateway.rb +21 -1
data/lib/smart_proxy_container_gateway/container_gateway_api.rb +62 -24
data/lib/smart_proxy_container_gateway/container_gateway_main.rb +107 -116
data/lib/smart_proxy_container_gateway/database.rb +46 -0
data/lib/smart_proxy_container_gateway/dependency_injection.rb +10 -0
data/lib/smart_proxy_container_gateway/sequel_migrations/003_authorization_reorg.rb +2 -2
data/lib/smart_proxy_container_gateway/sequel_migrations/004_users_repositories_cascade_delete.rb +28 -0
data/lib/smart_proxy_container_gateway/version.rb +1 -1
data/lib/smart_proxy_container_gateway.rb +2 -0
data/settings.d/container_gateway.yml.example +13 -7
metadata +20 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3d41b324aaa36809e103fc5a20cf934ed6821825355d6968e140f1ec1135c347
-  data.tar.gz: 645b65950210122681aed76963da3a95cb48ef75284c139046c992ff49bfa30f
+  metadata.gz: bb4e40d814ff330008ad5f1bf4bf667ba9e91415bc997ea4d66a2beb7fb0a00e
+  data.tar.gz: 84360d1228198e91460a2b841985b12c5c9f5d5d062d191862a2e9cc5bef10e9
 SHA512:
-  metadata.gz: 012b85b6a699b3f3887d3ec69e2995aa230c26be432c4353052946065135cfe5496dac8d27a4c7d3e5533f40dcc6c584fae81e22b695ea7af8e8087b6e80ddc3
-  data.tar.gz: 0a1ce283eb9b6fbbb9ec3360a16b7b76107b9f294ba3d5a58cac0e9147c94a672643de50027d4086a4701ee01a1c52311f2120b8bbb74f2b870f9a0e7764eba5
+  metadata.gz: 37997d8de598e480912ecc0785fc755138aa90163dcb20981210eff4a935ae85a49a157b8c51189a6a13a6a29a1ff391429e477257d466b0b9d0d19d04d33fcd
+  data.tar.gz: 5a81a246030ed8d9fcd7b847c30fb241c2974e203ae09b256a017432cffa549073430a203e5d6231f55527db005237477a4903482c88ddad47e4c2ca894f8def

data/README.md CHANGED Viewed

@@ -35,11 +35,22 @@ The Container Gateway plugin requires a Pulp 3 instance to connect to.  Related
 # Database information
-SQLite database migrations are completely automated.  The plugin checks if the database is up-to-date before each query.
+SQLite and PostgreSQL are supported, with SQLite being the default for development and testing.
+Use PostgreSQL in production for improved performance by adding the following settings:
+```
+# Example PostgreSQL connection settings, using UNIX socket and ident auth
+:db_connection_string: postgres:///container_gateway
+```
+When switching from SQLite to PostgreSQL, if the PostgreSQL database is empty, the SQLite database will be automatically migrated to PostgreSQL.
+For the migration to work, the sqlite_db_path setting must point to the old SQLite database file if the default (no setting definition) was not used.
+The SQLite database file will be deleted after the migration to PostgreSQL is complete.
+Database migrations are completely automated.  The plugin checks if the database is up-to-date at initialization time.
 # Katello interaction
-Auth information is retrieved from the Katello server during smart proxy sync time and cached in the SQLite database.
+Auth information is retrieved from the Katello server during smart proxy sync time and cached in the database.
 Logging in with a container client will cause the Container Gateway to fetch a token from Katello using the login information.

data/lib/smart_proxy_container_gateway/container_gateway.rb CHANGED Viewed

@@ -7,7 +7,6 @@ module Proxy
       default_settings :pulp_endpoint => "https://#{`hostname`.strip}",
                        :katello_registry_path => '/v2/',
-                       :sqlite_db_path => '/var/lib/foreman-proxy/smart_proxy_container_gateway.db',
                        :sqlite_timeout => 30_000
       # Load defaults that copy values from SETTINGS. This is done as
@@ -25,6 +24,27 @@ module Proxy
       validate :pulp_endpoint, url: true
       rackup_path File.join(__dir__, 'container_gateway_http_config.ru')
+      load_dependency_injection_wirings do |container_instance, settings|
+        container_instance.singleton_dependency :database_impl, (lambda do
+          connection_string = settings.fetch(:db_connection_string) do
+            unless settings[:sqlite_db_path]
+              raise ValueError, 'Missing db_connection_string or sqlite_db_path option'
+            end
+            # Legacy setup
+            "sqlite://#{settings[:sqlite_db_path]}?timeout=#{settings[:sqlite_timeout]}"
+          end
+          Proxy::ContainerGateway::Database.new(connection_string, settings[:sqlite_db_path])
+        end)
+        container_instance.singleton_dependency :container_gateway_main_impl, (lambda do
+          Proxy::ContainerGateway::ContainerGatewayMain.new(
+            database: container_instance.get_dependency(:database_impl),
+            **settings.slice(:pulp_endpoint, :pulp_client_ssl_ca, :pulp_client_ssl_cert, :pulp_client_ssl_key)
+          )
+        end)
+      end
     end
   end
 end

data/lib/smart_proxy_container_gateway/container_gateway_api.rb CHANGED Viewed

@@ -6,7 +6,6 @@ require 'sinatra'
 require 'smart_proxy_container_gateway/container_gateway'
 require 'smart_proxy_container_gateway/container_gateway_main'
 require 'smart_proxy_container_gateway/foreman_api'
-require 'sqlite3'
 module Proxy
   module ContainerGateway
@@ -14,15 +13,23 @@ module Proxy
       include ::Proxy::Log
       helpers ::Proxy::Helpers
       helpers ::Sinatra::Authorization::Helpers
+      extend ::Proxy::ContainerGateway::DependencyInjection
+      inject_attr :database_impl, :database
+      inject_attr :container_gateway_main_impl, :container_gateway_main
       get '/v1/_ping/?' do
-        Proxy::ContainerGateway.ping
+        pulp_response = container_gateway_main.ping(translated_headers_for_proxy)
+        status pulp_response.code.to_i
+        body pulp_response.body
       end
       get '/v2/?' do
         if auth_header.present? && (auth_header.unauthorized_token? || auth_header.valid_user_token?)
           response.headers['Docker-Distribution-API-Version'] = 'registry/2.0'
-          Proxy::ContainerGateway.ping
+          pulp_response = container_gateway_main.ping(translated_headers_for_proxy)
+          status pulp_response.code.to_i
+          body pulp_response.body
         else
           redirect_authorization_headers
           halt 401, "unauthorized"
@@ -33,22 +40,34 @@ module Proxy
         repository = params[:splat][0]
         tag = params[:splat][1]
         handle_repo_auth(repository, auth_header, request)
-        redirection_location = Proxy::ContainerGateway.manifests(repository, tag)
-        redirect to(redirection_location)
+        pulp_response = container_gateway_main.manifests(repository, tag, translated_headers_for_proxy)
+        if pulp_response.code.to_i >= 400
+          status pulp_response.code.to_i
+          body pulp_response.body
+        else
+          redirection_location = pulp_response['location']
+          redirect to(redirection_location)
+        end
       end
       get '/v2/*/blobs/*/?' do
         repository = params[:splat][0]
         digest = params[:splat][1]
         handle_repo_auth(repository, auth_header, request)
-        redirection_location = Proxy::ContainerGateway.blobs(repository, digest)
-        redirect to(redirection_location)
+        pulp_response = container_gateway_main.blobs(repository, digest, translated_headers_for_proxy)
+        if pulp_response.code.to_i >= 400
+          status pulp_response.code.to_i
+          body pulp_response.body
+        else
+          redirection_location = pulp_response['location']
+          redirect to(redirection_location)
+        end
       end
       get '/v2/*/tags/list/?' do
         repository = params[:splat][0]
         handle_repo_auth(repository, auth_header, request)
-        pulp_response = Proxy::ContainerGateway.tags(repository, params)
+        pulp_response = container_gateway_main.tags(repository, translated_headers_for_proxy, params)
         # "link"=>["<http://pulpcore-api/v2/container-image-name/tags/list?n=100&last=last-tag-name>; rel=\"next\""],
         # https://docs.docker.com/registry/spec/api/#pagination-1
         if pulp_response['link'].nil?
@@ -56,7 +75,8 @@ module Proxy
         else
           headers['link'] = pulp_response['link']
         end
-        pulp_response.body
+        status pulp_response.code.to_i
+        body pulp_response.body
       end
       get '/v1/search/?' do
@@ -74,19 +94,23 @@ module Proxy
           end
           params[:user] = username
         end
-        repositories = Proxy::ContainerGateway.v1_search(params)
+        repositories = container_gateway_main.v1_search(params)
         content_type :json
-        { num_results: repositories.size, query: params[:q], results: repositories }.to_json
+        {
+          num_results: repositories.size,
+          query: params[:q],
+          results: repositories.map { |repo_name| { description: '', name: repo_name } }
+        }.to_json
       end
       get '/v2/_catalog/?' do
         catalog = []
         if auth_header.present?
           if auth_header.unauthorized_token?
-            catalog = Proxy::ContainerGateway.catalog
+            catalog = container_gateway_main.catalog.select_map(::Sequel[:repositories][:name])
           elsif auth_header.valid_user_token?
-            catalog = Proxy::ContainerGateway.catalog(auth_header.user)
+            catalog = container_gateway_main.catalog(auth_header.user).select_map(::Sequel[:repositories][:name])
           else
             redirect_authorization_headers
             halt 401, "unauthorized"
@@ -131,7 +155,7 @@ module Proxy
           expires_in = token_response_body.fetch("expires_in", 60)
           expires_at = token_issue_time + expires_in.seconds
-          ContainerGateway.insert_token(
+          container_gateway_main.insert_token(
             request.params['account'],
             token_response_body['token'],
             expires_at.rfc3339
@@ -141,8 +165,8 @@ module Proxy
           if repo_response.code.to_i != 200
             halt repo_response.code.to_i, repo_response.body
           else
-            ContainerGateway.update_user_repositories(request.params['account'],
-                                                      JSON.parse(repo_response.body)['repositories'])
+            container_gateway_main.update_user_repositories(request.params['account'],
+                                                            JSON.parse(repo_response.body)['repositories'])
           end
           # Return the original token response from Katello
@@ -154,13 +178,13 @@ module Proxy
         do_authorize_any
         content_type :json
-        { users: User.map(:name) }.to_json
+        { users: database.connection[:users].map(:name) }.to_json
       end
       put '/user_repository_mapping/?' do
         do_authorize_any
-        ContainerGateway.update_user_repo_mapping(params)
+        container_gateway_main.update_user_repo_mapping(params)
         {}
       end
@@ -168,22 +192,32 @@ module Proxy
         do_authorize_any
         repositories = params['repositories'].nil? ? [] : params['repositories']
-        ContainerGateway.update_repository_list(repositories)
+        container_gateway_main.update_repository_list(repositories)
         {}
       end
       private
+      def translated_headers_for_proxy
+        current_headers = {}
+        env = request.env.select do |key, _value|
+          key.match("^HTTP_.*")
+        end
+        env.each do |header|
+          current_headers[header[0].split('_')[1..].join('-')] = header[1]
+        end
+        current_headers
+      end
       def handle_repo_auth(repository, auth_header, request)
         user_token_is_valid = false
-        # FIXME: Getting unauthenticated token here...
         if auth_header.present? && auth_header.valid_user_token?
           user_token_is_valid = true
-          username = auth_header.user.name
+          username = auth_header.user[:name]
         end
         username = request.params['account'] if username.nil?
-        return if Proxy::ContainerGateway.authorized_for_repo?(repository, user_token_is_valid, username)
+        return if container_gateway_main.authorized_for_repo?(repository, user_token_is_valid, username)
         redirect_authorization_headers
         halt 401, "unauthorized"
@@ -201,6 +235,10 @@ module Proxy
       end
       class AuthorizationHeader
+        extend ::Proxy::ContainerGateway::DependencyInjection
+        inject_attr :database_impl, :database
+        inject_attr :container_gateway_main_impl, :container_gateway_main
         UNAUTHORIZED_TOKEN = 'unauthorized'.freeze
         def initialize(value)
@@ -208,11 +246,11 @@ module Proxy
         end
         def user
-          ContainerGateway.token_user(@value.split(' ')[1])
+          container_gateway_main.token_user(@value.split(' ')[1])
         end
         def valid_user_token?
-          token_auth? && ContainerGateway.valid_token?(@value.split(' ')[1])
+          token_auth? && container_gateway_main.valid_token?(@value.split(' ')[1])
         end
         def raw_header

data/lib/smart_proxy_container_gateway/container_gateway_main.rb CHANGED Viewed

@@ -1,47 +1,62 @@
 require 'net/http'
 require 'uri'
 require 'digest'
+require 'smart_proxy_container_gateway/dependency_injection'
 require 'sequel'
 module Proxy
   module ContainerGateway
     extend ::Proxy::Util
     extend ::Proxy::Log
-    class << self
-      Sequel.extension :migration, :core_extensions
-      def pulp_registry_request(uri)
+    class ContainerGatewayMain
+      attr_reader :database
+      def initialize(database:, pulp_endpoint:, pulp_client_ssl_ca:, pulp_client_ssl_cert:, pulp_client_ssl_key:)
+        @database = database
+        @pulp_endpoint = pulp_endpoint
+        @pulp_client_ssl_ca = pulp_client_ssl_ca
+        @pulp_client_ssl_cert = OpenSSL::X509::Certificate.new(File.read(pulp_client_ssl_cert))
+        @pulp_client_ssl_key = OpenSSL::PKey::RSA.new(
+          File.read(pulp_client_ssl_key)
+        )
+      end
+      def pulp_registry_request(uri, headers)
         http_client = Net::HTTP.new(uri.host, uri.port)
-        http_client.ca_file = pulp_ca
-        http_client.cert = pulp_cert
-        http_client.key = pulp_key
+        http_client.ca_file = @pulp_client_ssl_ca
+        http_client.cert = @pulp_client_ssl_cert
+        http_client.key = @pulp_client_ssl_key
         http_client.use_ssl = true
         http_client.start do |http|
           request = Net::HTTP::Get.new uri
+          headers.each do |key, value|
+            request[key] = value
+          end
           http.request request
         end
       end
-      def ping
-        uri = URI.parse("#{Proxy::ContainerGateway::Plugin.settings.pulp_endpoint}/pulpcore_registry/v2/")
-        pulp_registry_request(uri).body
+      def ping(headers)
+        uri = URI.parse("#{@pulp_endpoint}/pulpcore_registry/v2/")
+        pulp_registry_request(uri, headers)
       end
-      def manifests(repository, tag)
+      def manifests(repository, tag, headers)
         uri = URI.parse(
-          "#{Proxy::ContainerGateway::Plugin.settings.pulp_endpoint}/pulpcore_registry/v2/#{repository}/manifests/#{tag}"
+          "#{@pulp_endpoint}/pulpcore_registry/v2/#{repository}/manifests/#{tag}"
         )
-        pulp_registry_request(uri)['location']
+        pulp_registry_request(uri, headers)
       end
-      def blobs(repository, digest)
+      def blobs(repository, digest, headers)
         uri = URI.parse(
-          "#{Proxy::ContainerGateway::Plugin.settings.pulp_endpoint}/pulpcore_registry/v2/#{repository}/blobs/#{digest}"
+          "#{@pulp_endpoint}/pulpcore_registry/v2/#{repository}/blobs/#{digest}"
         )
-        pulp_registry_request(uri)['location']
+        pulp_registry_request(uri, headers)
       end
-      def tags(repository, params = {})
+      def tags(repository, headers, params = {})
         query = "?"
         unless params[:n].nil? || params[:n] == ""
           query = "#{query}n=#{params[:n]}"
@@ -50,51 +65,54 @@ module Proxy
         query = "#{query}last=#{params[:last]}" unless params[:last].nil? || params[:last] == ""
         uri = URI.parse(
-          "#{Proxy::ContainerGateway::Plugin.settings.pulp_endpoint}/pulpcore_registry/v2/#{repository}/tags/list#{query}"
+          "#{@pulp_endpoint}/pulpcore_registry/v2/#{repository}/tags/list#{query}"
         )
-        pulp_registry_request(uri)
+        pulp_registry_request(uri, headers)
       end
       def v1_search(params = {})
         if params[:n].nil? || params[:n] == ""
-          params[:n] = 25
+          limit = 25
         else
-          params[:n] = params[:n].to_i
+          limit = params[:n].to_i
         end
+        return [] unless limit.positive?
-        repo_count = 0
-        repositories = []
-        user = params[:user].nil? ? nil : User.find(name: params[:user])
-        Proxy::ContainerGateway.catalog(user).each do |repo_name|
-          break if repo_count >= params[:n]
+        query = params[:q]
+        query = nil if query == ''
-          if params[:q].nil? || params[:q] == "" || repo_name.include?(params[:q])
-            repo_count += 1
-            repositories << { name: repo_name }
-          end
-        end
-        repositories
+        user = params[:user].nil? ? nil : database.connection[:users][{ name: params[:user] }]
+        repositories = query ? catalog(user).grep(:name, "%#{query}%") : catalog(user)
+        repositories.limit(limit).select_map(::Sequel[:repositories][:name])
       end
       def catalog(user = nil)
         if user.nil?
           unauthenticated_repos
         else
-          (unauthenticated_repos + user.repositories_dataset.map(:name)).sort
+          database.connection[:repositories].
+            left_join(:repositories_users, repository_id: :id).
+            left_join(:users, ::Sequel[:users][:id] => :user_id).where(user_id: user[:id]).
+            or(Sequel[:repositories][:auth_required] => false).order(::Sequel[:repositories][:name])
         end
       end
       def unauthenticated_repos
-        Repository.where(auth_required: false).order(:name).map(:name)
+        database.connection[:repositories].where(auth_required: false).order(:name)
       end
       # Replaces the entire list of repositories
       def update_repository_list(repo_list)
-        RepositoryUser.dataset.delete
-        Repository.dataset.delete
-        repo_list.each do |repo|
-          Repository.find_or_create(name: repo['repository'],
-                                    auth_required: repo['auth_required'].to_s.downcase == "true")
+        # repositories_users cascades on deleting repositories (or users)
+        database.connection.transaction(isolation: :serializable, retry_on: [Sequel::SerializationFailure]) do
+          repository = database.connection[:repositories]
+          repository.delete
+          repository.import(
+            %i[name auth_required],
+            repo_list.map { |repo| [repo['repository'], repo['auth_required'].to_s.downcase == "true"] }
+          )
         end
       end
@@ -103,122 +121,95 @@ module Proxy
         # Get hash map of all users and their repositories
         # Ex: {"users"=> [{"admin"=>[{"repository"=>"repo", "auth_required"=>"true"}]}]}
         # Go through list of repositories and add them to the DB
-        RepositoryUser.dataset.delete
-        user_repo_maps['users'].each do |user_repo_map|
-          user_repo_map.each do |user, repos|
-            next if repos.nil?
-            repos.each do |repo|
-              found_repo = Repository.find(name: repo['repository'],
-                                           auth_required: repo['auth_required'].to_s.downcase == "true")
-              if found_repo.nil?
-                logger.warn("#{repo['repository']} does not exist in this smart proxy's environments")
-              elsif found_repo.auth_required
-                found_repo.add_user(User.find(name: user))
-              end
+        repositories = database.connection[:repositories]
+        entries = user_repo_maps['users'].flat_map do |user_repo_map|
+          user_repo_map.filter_map do |username, repos|
+            user_repo_names = repos.filter { |repo| repo['auth_required'].to_s.downcase == "true" }.map do |repo|
+              repo['repository']
             end
+            user = database.connection[:users][{ name: username }]
+            repositories.where(name: user_repo_names, auth_required: true).select(:id).map { |repo| [repo[:id], user[:id]] }
           end
         end
+        entries.flatten!(1)
+        repositories_users = database.connection[:repositories_users]
+        database.connection.transaction(isolation: :serializable, retry_on: [Sequel::SerializationFailure]) do
+          repositories_users.delete
+          repositories_users.import(%i[repository_id user_id], entries)
+        end
       end
       # Replaces the user-repo mapping for a single user
       def update_user_repositories(username, repositories)
-        user = User.where(name: username).first
-        user.remove_all_repositories
-        repositories.each do |repo_name|
-          found_repo = Repository.find(name: repo_name)
-          if found_repo.nil?
-            logger.warn("#{repo_name} does not exist in this smart proxy's environments")
-          elsif user.repositories_dataset.where(name: repo_name).first.nil? && found_repo.auth_required
-            user.add_repository(found_repo)
-          end
+        user = database.connection[:users][{ name: username }]
+        user_repositories = database.connection[:repositories_users]
+        database.connection.transaction(isolation: :serializable,
+                                        retry_on: [Sequel::SerializationFailure],
+                                        num_retries: 10) do
+          user_repositories.where(user_id: user[:id]).delete
+          user_repositories.import(
+            %i[repository_id user_id],
+            database.connection[:repositories].where(name: repositories, auth_required: true).select(:id).map do |repo|
+              [repo[:id], user[:id]]
+            end
+          )
         end
       end
       def authorized_for_repo?(repo_name, user_token_is_valid, username = nil)
-        repository = Repository.where(name: repo_name).first
+        repository = database.connection[:repositories][{ name: repo_name }]
         # Repository doesn't exist
         return false if repository.nil?
         # Repository doesn't require auth
-        return true unless repository.auth_required
+        return true unless repository[:auth_required]
-        if username && user_token_is_valid && repository.auth_required
+        if username && user_token_is_valid
           # User is logged in and has access to the repository
-          user = User.find(name: username)
-          return !user.repositories_dataset.where(name: repo_name).first.nil?
+          return !database.connection[:repositories_users].where(
+            repository_id: repository[:id], user_id: database.connection[:users].first(name: username)[:id]
+          ).empty?
         end
         false
       end
       def token_user(token)
-        User[AuthenticationToken.find(token_checksum: Digest::SHA256.hexdigest(token)).user_id]
+        database.connection[:users][{
+          id: database.connection[:authentication_tokens].where(token_checksum: checksum(token)).select(:user_id)
+        }]
       end
       def valid_token?(token)
-        AuthenticationToken.where(token_checksum: Digest::SHA256.hexdigest(token)).where do
+        !database.connection[:authentication_tokens].where(token_checksum: checksum(token)).where do
           expire_at > Sequel::CURRENT_TIMESTAMP
-        end.count.positive?
+        end.empty?
       end
       def insert_token(username, token, expire_at_string, clear_expired_tokens: true)
         checksum = Digest::SHA256.hexdigest(token)
-        user = User.find_or_create(name: username)
-        AuthenticationToken.where(:token_checksum => checksum).delete
-        AuthenticationToken.create(token_checksum: checksum, expire_at: expire_at_string.to_s, user_id: user.id)
-        AuthenticationToken.where { expire_at < Sequel::CURRENT_TIMESTAMP }.delete if clear_expired_tokens
-      end
-      def initialize_db
-        file_path = Proxy::ContainerGateway::Plugin.settings.sqlite_db_path
-        sqlite_timeout = Proxy::ContainerGateway::Plugin.settings.sqlite_timeout
-        conn = Sequel.connect("sqlite://#{file_path}", timeout: sqlite_timeout)
-        container_gateway_path = $LOAD_PATH.detect { |path| path.include? 'smart_proxy_container_gateway' }
-        begin
-          Sequel::Migrator.check_current(conn, "#{container_gateway_path}/smart_proxy_container_gateway/sequel_migrations")
-        rescue Sequel::Migrator::NotCurrentError
-          migrate_db(conn, container_gateway_path)
-        end
-        conn
-      end
+        user = Sequel::Model(database.connection[:users]).find_or_create(name: username)
-      private
-      def migrate_db(db_connection, container_gateway_path)
-        Sequel::Migrator.run(db_connection, "#{container_gateway_path}/smart_proxy_container_gateway/sequel_migrations")
-      end
+        database.connection.transaction(isolation: :serializable, retry_on: [Sequel::SerializationFailure]) do
+          database.connection[:authentication_tokens].where(:token_checksum => checksum).delete
+          Sequel::Model(database.connection[:authentication_tokens]).
+            create(token_checksum: checksum, expire_at: expire_at_string.to_s, user_id: user.id)
+          return unless clear_expired_tokens
-      def pulp_ca
-        Proxy::ContainerGateway::Plugin.settings.pulp_client_ssl_ca
+          database.connection[:authentication_tokens].where { expire_at < Sequel::CURRENT_TIMESTAMP }.delete
+        end
       end
-      def pulp_cert
-        OpenSSL::X509::Certificate.new(File.read(Proxy::ContainerGateway::Plugin.settings.pulp_client_ssl_cert))
-      end
+      private
-      def pulp_key
-        OpenSSL::PKey::RSA.new(
-          File.read(Proxy::ContainerGateway::Plugin.settings.pulp_client_ssl_key)
-        )
+      def checksum(token)
+        Digest::SHA256.hexdigest(token)
       end
     end
-    class Repository < ::Sequel::Model(Proxy::ContainerGateway.initialize_db[:repositories])
-      many_to_many :users
-    end
-    class User < ::Sequel::Model(Proxy::ContainerGateway.initialize_db[:users])
-      many_to_many :repositories
-      one_to_many :authentication_tokens
-    end
-    class RepositoryUser < ::Sequel::Model(Proxy::ContainerGateway.initialize_db[:repositories_users]); end
-    class AuthenticationToken < ::Sequel::Model(Proxy::ContainerGateway.initialize_db[:authentication_tokens])
-      many_to_one :users
-    end
   end
 end

data/lib/smart_proxy_container_gateway/database.rb ADDED Viewed

@@ -0,0 +1,46 @@
+require 'sequel'
+module Proxy
+  module ContainerGateway
+    class Database
+      attr_reader :connection
+      def initialize(connection_string, prior_sqlite_db_path = nil)
+        @connection = Sequel.connect(connection_string)
+        if connection_string.start_with?('sqlite://')
+          @connection.run("PRAGMA foreign_keys = ON;")
+          @connection.run("PRAGMA journal_mode = wal;")
+        elsif prior_sqlite_db_path && File.exist?(prior_sqlite_db_path) &&
+              (!@connection.table_exists?(:repositories) || @connection[:repositories].count.zero?)
+          migrate_to_postgres(Sequel.sqlite(prior_sqlite_db_path), @connection)
+          File.delete(prior_sqlite_db_path)
+        end
+        migrate
+      end
+      private
+      def migrate
+        Sequel.extension :migration, :core_extensions
+        migration_path = File.join(__dir__, 'sequel_migrations')
+        begin
+          Sequel::Migrator.check_current(@connection, migration_path)
+        rescue Sequel::Migrator::NotCurrentError
+          Sequel::Migrator.run(@connection, migration_path)
+        end
+      end
+      def migrate_to_postgres(sqlite_db, postgres_db)
+        migrate
+        sqlite_db.transaction do
+          sqlite_db.tables.each do |table|
+            next if table == :schema_info
+            sqlite_db[table].each do |row|
+              postgres_db[table.to_sym].insert(row)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/smart_proxy_container_gateway/dependency_injection.rb ADDED Viewed

@@ -0,0 +1,10 @@
+module Proxy
+  module ContainerGateway
+    module DependencyInjection
+      include Proxy::DependencyInjection::Accessors
+      def container_instance
+        @container_instance ||= ::Proxy::Plugins.instance.find { |p| p[:name] == :container_gateway }[:di_container]
+      end
+    end
+  end
+end

data/lib/smart_proxy_container_gateway/sequel_migrations/003_authorization_reorg.rb CHANGED Viewed

@@ -25,8 +25,8 @@ Sequel.migration do
     end
     # Populate the new user_id foreign key for all authentication_tokens
-    from(:authentication_tokens).insert([:user_id],
-                                        from(:users).select(:id).where(name: self[:authentication_tokens][:username]))
+    from(:authentication_tokens).
+      update(user_id: from(:users).select(:id).where(name: Sequel[:authentication_tokens][:username]))
     alter_table(:authentication_tokens) do
       drop_column :username

data/lib/smart_proxy_container_gateway/sequel_migrations/004_users_repositories_cascade_delete.rb ADDED Viewed

@@ -0,0 +1,28 @@
+Sequel.migration do
+  up do
+    # SQLite does not support dropping columns until version 3.35, which is not in the EL8 ecosystem as of March, 2024.
+    create_table(:repositories_users2) do
+      foreign_key :repository_id, :repositories, on_delete: :cascade
+      foreign_key :user_id, :users, on_delete: :cascade
+      primary_key %i[repository_id user_id]
+      index %i[repository_id user_id]
+    end
+    run "INSERT INTO repositories_users2(repository_id, user_id) SELECT repository_id, user_id from repositories_users"
+    drop_table(:repositories_users)
+    rename_table(:repositories_users2, :repositories_users)
+  end
+  down do
+    create_table(:repositories_users2) do
+      foreign_key :repository_id, :repositories
+      foreign_key :user_id, :users
+      primary_key %i[repository_id user_id]
+      index %i[repository_id user_id]
+    end
+    run "INSERT INTO repositories_users2(repository_id, user_id) SELECT repository_id, user_id from repositories_users"
+    drop_table(:repositories_users)
+    rename_table(:repositories_users2, :repositories_users)
+  end
+end

data/lib/smart_proxy_container_gateway/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Proxy
   module ContainerGateway
-    VERSION = '1.2.0'.freeze
+    VERSION = '3.0.0'.freeze
   end
 end

data/lib/smart_proxy_container_gateway.rb CHANGED Viewed

@@ -1,2 +1,4 @@
 require 'smart_proxy_container_gateway/version'
+require 'smart_proxy_container_gateway/database'
 require 'smart_proxy_container_gateway/container_gateway'
+require 'smart_proxy_container_gateway/container_gateway_main'

data/settings.d/container_gateway.yml.example CHANGED Viewed

@@ -1,10 +1,16 @@
 ---
 :enabled: true
-:pulp_endpoint: 'https://your_pulp_3_server_here.com'
-:pulp_client_ssl_ca: 'CA Cert for authenticating with Pulp'
-:pulp_client_ssl_cert: 'X509 certificate for authenticating with Pulp'
-:pulp_client_ssl_key: 'RSA private key for the Pulp certificate'
-:katello_registry_path: 'Katello container registry suffix, e.g., /v2/'
-:sqlite_db_path: '/var/lib/foreman-proxy/smart_proxy_container_gateway.db'
+#:pulp_endpoint: 'https://pulp3.example.com'
+#:pulp_client_ssl_ca: '/path/to/ca.pem'
+#:pulp_client_ssl_cert: '/path/to/cert.pem'
+#:pulp_client_ssl_key: '/path/to/key.pem'
+#:katello_registry_path: '/v2/'
+#:db_connection_string: postgresql:///container_gateway
+# Legacy options
+#:sqlite_db_path: '/var/lib/foreman-proxy/smart_proxy_container_gateway.db'
 # Database busy timeout in milliseconds
-:sqlite_timeout: 30000
+#:sqlite_timeout: 30000

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_proxy_container_gateway
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 3.0.0
 platform: ruby
 authors:
 - Ian Ballou
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-01-09 00:00:00.000000000 Z
+date: 2024-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: pg
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: sequel
   requirement: !ruby/object:Gem::Requirement
@@ -68,10 +82,13 @@ files:
 - lib/smart_proxy_container_gateway/container_gateway_api.rb
 - lib/smart_proxy_container_gateway/container_gateway_http_config.ru
 - lib/smart_proxy_container_gateway/container_gateway_main.rb
+- lib/smart_proxy_container_gateway/database.rb
+- lib/smart_proxy_container_gateway/dependency_injection.rb
 - lib/smart_proxy_container_gateway/foreman_api.rb
 - lib/smart_proxy_container_gateway/sequel_migrations/001_initial.rb
 - lib/smart_proxy_container_gateway/sequel_migrations/002_auth_tokens.rb
 - lib/smart_proxy_container_gateway/sequel_migrations/003_authorization_reorg.rb
+- lib/smart_proxy_container_gateway/sequel_migrations/004_users_repositories_cascade_delete.rb
 - lib/smart_proxy_container_gateway/version.rb
 - settings.d/container_gateway.yml.example
 homepage: https://github.com/Katello/smart_proxy_container_gateway
@@ -93,7 +110,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.4.21
 signing_key:
 specification_version: 4
 summary: Pulp 3 container registry support for Foreman/Katello Smart-Proxy