PyPI - devpi-admin - Versions diffs - 1.4.0__tar.gz → 1.4.1__tar.gz - Mend

devpi-admin 1.4.0tar.gz → 1.4.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

{devpi_admin-1.4.0 → devpi_admin-1.4.1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devpi-admin
-Version: 1.4.0
+Version: 1.4.1
 Summary: Modern web UI plugin for devpi-server — drop-in replacement for devpi-web
 Author-email: Pavel Revak <pavelrevak@gmail.com>
 License: MIT
@@ -122,6 +122,12 @@ talks to the standard devpi JSON API directly.
   `DELETE` is **never** granted, even with `upload` scope - package removal must use
   password auth. Anything outside the bound index path returns 403, including the SPA,
   `/+admin-api/*` (so a token cannot mint further tokens), `/+login`, `/`, and `/<user>`.
+  **Bases exception**: `GET /<base>/<idx>/+f/<...>` is also allowed when `<base>/<idx>`
+  is in the bound stage's SRO (bases inheritance). devpi's `+simple/` view on a stage
+  emits file links pointing directly at the base index (e.g. mirror-fed packages on
+  `villapro/staging` link to `/root/pypi/+f/...`); without this exception pip would
+  follow the link with the bound token and get 403. Limited to `GET` on `+f/` —
+  cross-index `+simple/` and writes remain blocked.
 - **Issuance rules**: regular users may issue for themselves; root may issue for *other*
   users (admin delegation) but not for itself. Admin-token-authenticated requests cannot
   issue further tokens. Issuance verifies the target user is in `acl_read` /

{devpi_admin-1.4.0 → devpi_admin-1.4.1}/README.md RENAMED Viewed

@@ -98,6 +98,12 @@ talks to the standard devpi JSON API directly.
   `DELETE` is **never** granted, even with `upload` scope - package removal must use
   password auth. Anything outside the bound index path returns 403, including the SPA,
   `/+admin-api/*` (so a token cannot mint further tokens), `/+login`, `/`, and `/<user>`.
+  **Bases exception**: `GET /<base>/<idx>/+f/<...>` is also allowed when `<base>/<idx>`
+  is in the bound stage's SRO (bases inheritance). devpi's `+simple/` view on a stage
+  emits file links pointing directly at the base index (e.g. mirror-fed packages on
+  `villapro/staging` link to `/root/pypi/+f/...`); without this exception pip would
+  follow the link with the bound token and get 403. Limited to `GET` on `+f/` —
+  cross-index `+simple/` and writes remain blocked.
 - **Issuance rules**: regular users may issue for themselves; root may issue for *other*
   users (admin delegation) but not for itself. Admin-token-authenticated requests cannot
   issue further tokens. Issuance verifies the target user is in `acl_read` /

{devpi_admin-1.4.0 → devpi_admin-1.4.1}/devpi_admin/_version.py RENAMED Viewed

@@ -18,7 +18,7 @@ version_tuple: tuple[int | str, ...]
 commit_id: str | None
 __commit_id__: str | None
-__version__ = version = '1.4.0'
-__version_tuple__ = version_tuple = (1, 4, 0)
+__version__ = version = '1.4.1'
+__version_tuple__ = version_tuple = (1, 4, 1)
-__commit_id__ = commit_id = 'gc695723cf'
+__commit_id__ = commit_id = 'gf69f25fba'

{devpi_admin-1.4.0 → devpi_admin-1.4.1}/devpi_admin/main.py RENAMED Viewed

@@ -444,7 +444,7 @@ def devpi_admin_tween_factory(handler, registry):
                 # Cache for the identity hook so it doesn't re-read keyfs.
                 request.environ["adm.token_meta"] = meta
                 request.environ["adm.is_admin_token"] = True
-                denied = _admin_token_check(request, meta)
+                denied = _admin_token_check(request, meta, xom)
                 if denied is not None:
                     return denied
             # Invalid/expired token: let the identity hook return None and
@@ -510,7 +510,7 @@ def _request_carries_admin_token(request):
     return _extract_admin_token_secret(request) is not None
-def _admin_token_check(request, token_meta):
+def _admin_token_check(request, token_meta, xom):
     """Restrict admin-token requests by scope and bound index.
     A token carries a ``scope`` (``read`` / ``upload``) and is bound to a
@@ -523,6 +523,13 @@ def _admin_token_check(request, token_meta):
       ``/<user>/<index>/...``. A token bound to ``alice/dev`` cannot
       reach ``/bob/prod`` or any management endpoint (``/+admin*``,
       ``/+admin-api/*``, ``/+login``, ``/+status``, ``/<user>``).
+    * Cross-base file downloads (``GET /<base>/<idx>/+f/...``) are
+      allowed when the target index is reachable through the bound
+      stage's SRO (bases inheritance). devpi's ``+simple/`` on a stage
+      returns links pointing to the base index hosting the file (e.g.
+      ``/root/pypi/+f/...`` for a mirror-fed package on
+      ``villapro/staging``); without this exception pip would follow
+      the link with the bound token and get 403.
     Returns ``None`` to allow, or an HTTPForbidden response to deny.
     """
@@ -553,11 +560,45 @@ def _admin_token_check(request, token_meta):
     prefix = "/" + bound
     if path == prefix or path.startswith(prefix + "/"):
         return None
+    # Bases inheritance for file downloads: a stage's +simple/ surfaces
+    # links into the base index (e.g. mirror) rather than rewriting them
+    # under the stage URL. Allow the resulting cross-index GET as long
+    # as the target is part of the bound stage's SRO.
+    if request.method == "GET":
+        file_match = _PKG_FILE_RE.match(path)
+        if file_match is not None:
+            other_user, other_index = file_match.group(1), file_match.group(2)
+            if _index_in_bound_sro(xom, bound, other_user, other_index):
+                return None
     return HTTPForbidden(json_body={
         "error": f"admin token bound to {bound} cannot access {path}",
     })
+def _index_in_bound_sro(xom, bound, other_user, other_index):
+    """Return True iff ``other_user/other_index`` is in bound stage's SRO.
+    SRO (Stage Resolution Order) is devpi's transitive bases traversal —
+    the same chain its ``+simple/`` view follows when emitting links.
+    Best-effort: missing stage or any error returns False (deny). Runs
+    inside a read transaction because ``sro()`` touches each base's
+    ``ixconfig`` in keyfs.
+    """
+    bound_user, bound_idx = bound.split("/", 1)
+    try:
+        with xom.keyfs.read_transaction(allow_reuse=True):
+            bound_stage = xom.model.getstage(bound_user, bound_idx)
+            if bound_stage is None:
+                return False
+            target_name = f"{other_user}/{other_index}"
+            for stage in bound_stage.sro():
+                if stage.name == target_name:
+                    return True
+    except Exception:
+        return False
+    return False
 def _user_listing_check(request):
     """Restrict ``GET /<user>/`` to that user or root.

{devpi_admin-1.4.0 → devpi_admin-1.4.1}/devpi_admin.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devpi-admin
-Version: 1.4.0
+Version: 1.4.1
 Summary: Modern web UI plugin for devpi-server — drop-in replacement for devpi-web
 Author-email: Pavel Revak <pavelrevak@gmail.com>
 License: MIT
@@ -122,6 +122,12 @@ talks to the standard devpi JSON API directly.
   `DELETE` is **never** granted, even with `upload` scope - package removal must use
   password auth. Anything outside the bound index path returns 403, including the SPA,
   `/+admin-api/*` (so a token cannot mint further tokens), `/+login`, `/`, and `/<user>`.
+  **Bases exception**: `GET /<base>/<idx>/+f/<...>` is also allowed when `<base>/<idx>`
+  is in the bound stage's SRO (bases inheritance). devpi's `+simple/` view on a stage
+  emits file links pointing directly at the base index (e.g. mirror-fed packages on
+  `villapro/staging` link to `/root/pypi/+f/...`); without this exception pip would
+  follow the link with the bound token and get 403. Limited to `GET` on `+f/` —
+  cross-index `+simple/` and writes remain blocked.
 - **Issuance rules**: regular users may issue for themselves; root may issue for *other*
   users (admin delegation) but not for itself. Admin-token-authenticated requests cannot
   issue further tokens. Issuance verifies the target user is in `acl_read` /

{devpi_admin-1.4.0 → devpi_admin-1.4.1}/tests/test_acl_read.py RENAMED Viewed

@@ -150,7 +150,7 @@ class AdminTokenCheckTests(unittest.TestCase):
                      "/alice/dev/+simple/", "/alice/dev/+f/foo.whl",
                      "/alice/dev/foo/1.0"):
             self.assertIsNone(
-                _admin_token_check(self._make("GET", path), self._meta()),
+                _admin_token_check(self._make("GET", path), self._meta(), None),
                 "GET %s should be allowed" % path)
     def test_read_scope_blocks_management_paths(self):
@@ -158,30 +158,31 @@ class AdminTokenCheckTests(unittest.TestCase):
                      "/+admin-api/users/alice/tokens", "/+status",
                      "/alice", "/alice/"):
             self.assertIsNotNone(
-                _admin_token_check(self._make("GET", path), self._meta()),
+                _admin_token_check(self._make("GET", path), self._meta(), None),
                 "GET %s should be blocked" % path)
     def test_read_scope_blocks_other_index(self):
         # Token bound to alice/dev cannot reach bob/prod.
         self.assertIsNotNone(_admin_token_check(
-            self._make("GET", "/bob/prod"), self._meta()))
+            self._make("GET", "/bob/prod"), self._meta(), None))
         self.assertIsNotNone(_admin_token_check(
-            self._make("GET", "/bob/prod/+simple/foo"), self._meta()))
+            self._make("GET", "/bob/prod/+simple/foo"), self._meta(), None))
         # Even alice's *other* index is blocked.
         self.assertIsNotNone(_admin_token_check(
-            self._make("GET", "/alice/staging"), self._meta()))
+            self._make("GET", "/alice/staging"), self._meta(), None))
     def test_head_treated_like_get(self):
         self.assertIsNone(_admin_token_check(
-            self._make("HEAD", "/alice/dev"), self._meta()))
+            self._make("HEAD", "/alice/dev"), self._meta(), None))
         self.assertIsNotNone(_admin_token_check(
-            self._make("HEAD", "/+login"), self._meta()))
+            self._make("HEAD", "/+login"), self._meta(), None))
     def test_read_scope_blocks_writes_everywhere(self):
         for method in ("POST", "PUT", "PATCH", "DELETE"):
             for path in ("/alice/dev", "/alice/dev/foo", "/+login"):
                 self.assertIsNotNone(
-                    _admin_token_check(self._make(method, path), self._meta()),
+                    _admin_token_check(
+                        self._make(method, path), self._meta(), None),
                     "%s %s must be blocked for read-scope token"
                     % (method, path))
@@ -191,10 +192,10 @@ class AdminTokenCheckTests(unittest.TestCase):
         meta = self._meta(scope="upload")
         for method in ("POST", "PUT"):
             self.assertIsNone(_admin_token_check(
-                self._make(method, "/alice/dev"), meta),
+                self._make(method, "/alice/dev"), meta, None),
                 "%s should be allowed" % method)
             self.assertIsNone(_admin_token_check(
-                self._make(method, "/alice/dev/foo/1.0"), meta))
+                self._make(method, "/alice/dev/foo/1.0"), meta, None))
     def test_upload_scope_blocks_delete(self):
         # Even with upload scope, DELETE is never allowed — package
@@ -202,31 +203,142 @@ class AdminTokenCheckTests(unittest.TestCase):
         meta = self._meta(scope="upload")
         for path in ("/alice/dev", "/alice/dev/foo", "/alice/dev/foo/1.0"):
             self.assertIsNotNone(
-                _admin_token_check(self._make("DELETE", path), meta),
+                _admin_token_check(self._make("DELETE", path), meta, None),
                 "DELETE %s must be blocked even for upload scope" % path)
     def test_upload_scope_blocks_other_index(self):
         meta = self._meta(scope="upload")
         self.assertIsNotNone(_admin_token_check(
-            self._make("POST", "/bob/prod"), meta))
+            self._make("POST", "/bob/prod"), meta, None))
     def test_upload_scope_blocks_management_paths(self):
         meta = self._meta(scope="upload")
         for path in ("/+login", "/+admin-api/token", "/+admin/", "/"):
             self.assertIsNotNone(
-                _admin_token_check(self._make("POST", path), meta))
+                _admin_token_check(self._make("POST", path), meta, None))
     # --- malformed meta (defensive) ---
     def test_unknown_scope_blocked(self):
         meta = {"user": "alice", "index": "alice/dev", "scope": "weird"}
         self.assertIsNotNone(_admin_token_check(
-            self._make("GET", "/alice/dev"), meta))
+            self._make("GET", "/alice/dev"), meta, None))
     def test_missing_index_blocked(self):
         meta = {"user": "alice", "scope": "read"}
         self.assertIsNotNone(_admin_token_check(
-            self._make("GET", "/alice/dev"), meta))
+            self._make("GET", "/alice/dev"), meta, None))
+class AdminTokenBasesAwareTests(unittest.TestCase):
+    """File-download cross-index GETs are allowed when the target index
+    is reachable through the bound stage's SRO (bases inheritance).
+    devpi's ``+simple/`` view on a stage emits links pointing to the
+    base index that physically hosts the file (e.g. mirror-fed packages
+    on ``villapro/staging`` link to ``/root/pypi/+f/...``); pip then
+    follows them with the bound token and must not be 403'd.
+    """
+    def _make(self, method, path):
+        req = MagicMock()
+        req.method = method
+        req.path = path
+        return req
+    def _meta(self, index="villapro/staging"):
+        return {
+            "user": index.split("/")[0], "index": index, "scope": "read"}
+    def _xom_with_sro(self, sro_names):
+        """Build a stub xom whose bound stage's sro() yields stages with
+        the given ``user/index`` names. ``read_transaction()`` is a
+        no-op context manager.
+        """
+        stages = [MagicMock(name=n) for n in sro_names]
+        for stage, n in zip(stages, sro_names):
+            stage.name = n
+        bound_stage = MagicMock()
+        bound_stage.sro.return_value = iter(stages)
+        xom = MagicMock()
+        xom.model.getstage.return_value = bound_stage
+        ctx = MagicMock()
+        ctx.__enter__ = MagicMock(return_value=ctx)
+        ctx.__exit__ = MagicMock(return_value=False)
+        xom.keyfs.read_transaction.return_value = ctx
+        return xom
+    def test_file_download_on_base_index_allowed(self):
+        # staging → private → pypi: pip follows mirror file link.
+        xom = self._xom_with_sro(
+            ["villapro/staging", "villapro/private", "root/pypi"])
+        result = _admin_token_check(
+            self._make("GET", "/root/pypi/+f/ab/cdef/setuptools-1.0.whl"),
+            self._meta(), xom)
+        self.assertIsNone(result)
+    def test_file_download_on_intermediate_base_allowed(self):
+        xom = self._xom_with_sro(
+            ["villapro/staging", "villapro/private", "root/pypi"])
+        result = _admin_token_check(
+            self._make("GET", "/villapro/private/+f/ab/cdef/pkg-1.0.whl"),
+            self._meta(), xom)
+        self.assertIsNone(result)
+    def test_file_download_on_unrelated_index_blocked(self):
+        xom = self._xom_with_sro(
+            ["villapro/staging", "villapro/private", "root/pypi"])
+        result = _admin_token_check(
+            self._make("GET", "/charlie/secret/+f/ab/cdef/pkg-1.0.whl"),
+            self._meta(), xom)
+        self.assertIsNotNone(result)
+    def test_simple_listing_on_base_not_exempted(self):
+        # Bases exception is scoped to +f/ file downloads only — pip
+        # always queries +simple/ on the bound stage URL (devpi merges
+        # the views), so cross-index +simple has no legitimate flow and
+        # must remain blocked to keep token scope meaningful.
+        xom = self._xom_with_sro(
+            ["villapro/staging", "root/pypi"])
+        result = _admin_token_check(
+            self._make("GET", "/root/pypi/+simple/setuptools/"),
+            self._meta(), xom)
+        self.assertIsNotNone(result)
+    def test_bound_stage_missing_denies(self):
+        xom = MagicMock()
+        xom.model.getstage.return_value = None
+        ctx = MagicMock()
+        ctx.__enter__ = MagicMock(return_value=ctx)
+        ctx.__exit__ = MagicMock(return_value=False)
+        xom.keyfs.read_transaction.return_value = ctx
+        result = _admin_token_check(
+            self._make("GET", "/root/pypi/+f/ab/cdef/pkg.whl"),
+            self._meta(), xom)
+        self.assertIsNotNone(result)
+    def test_sro_lookup_exception_denies(self):
+        # Best-effort: any error in SRO traversal falls through to deny,
+        # rather than masking a misconfiguration as accidental access.
+        xom = MagicMock()
+        xom.keyfs.read_transaction.side_effect = RuntimeError("boom")
+        result = _admin_token_check(
+            self._make("GET", "/root/pypi/+f/ab/cdef/pkg.whl"),
+            self._meta(), xom)
+        self.assertIsNotNone(result)
+    def test_upload_scope_does_not_use_bases_exception(self):
+        # Upload tokens write to the bound stage; cross-base writes
+        # don't have an analogous "+f link in +simple" justification.
+        # POST /root/pypi/... must stay blocked even with SRO match.
+        xom = self._xom_with_sro(["villapro/staging", "root/pypi"])
+        meta = {"user": "villapro", "index": "villapro/staging",
+                "scope": "upload"}
+        result = _admin_token_check(
+            self._make("POST", "/root/pypi/+f/ab/cdef/pkg.whl"),
+            meta, xom)
+        self.assertIsNotNone(result)
 class UserListingCheckTests(unittest.TestCase):