devpi-admin 1.4.2__tar.gz → 1.4.4__tar.gz

{devpi_admin-1.4.2 → devpi_admin-1.4.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devpi-admin
-Version: 1.4.2
+Version: 1.4.4
 Summary: Modern web UI plugin for devpi-server — drop-in replacement for devpi-web
 Author-email: Pavel Revak <pavelrevak@gmail.com>
 License: MIT
@@ -61,6 +61,10 @@ talks to the standard devpi JSON API directly.
   - **`Tokens`** (owner / root only) — opens the per-index unified Tokens modal with two
     sections (Admin + Devpi), shows existing tokens for this index, lets you issue new
     ones with the index pre-filled and locked
+  - **`Refresh cache`** (mirror indexes only, any authenticated user) — invalidates
+    the in-memory per-project and project-names caches; the next `+simple/<project>/`
+    query (from pip, the UI, or `devpi-client`) goes back to upstream
+    (etag-conditional, cheap)
   - **`Edit`** / **`Delete`** (owner / root)
 - Create / edit / delete indexes via modal dialogs
 - `bases` editor with drag & drop priority ordering and transitive inheritance display
@@ -597,6 +601,30 @@ Revoke a single token.
 - **200:** `{"revoked": true, "id": "abc..."}`
 - **404:** token id not found
 
+### Mirror cache
+
+#### `POST /+admin-api/mirror/{user}/{index}/refresh-cache`
+Invalidate the in-memory mirror caches so the next pip / UI / `devpi-client` request
+re-checks upstream. Lazy — no upstream fetch happens at the moment of the call; the
+re-fetch is triggered by the next `+simple/<project>/` lookup that traverses this
+mirror (etag-conditional, typically one cheap HTTP round-trip per project actually
+queried). Two caches are expired:
+
+- `cache_retrieve_times` — per-project last-fetch timestamp + etag (every tracked
+  project, in one pass)
+- `cache_projectnames` — full PyPI project-name list (refetched on the next "list all
+  projects" call)
+
+Useful when waiting for a freshly-published upstream release that's still hidden
+behind the `mirror_cache_expiry` TTL (default 30 min).
+
+- **Auth:** required (any authenticated user)
+- **Primary only:** replicas return 400 (caches are process-local; replicas sync the
+  persisted state via the changelog stream once the primary refetches)
+- **200:** `{"result": {"projects_invalidated": N, "projectnames_invalidated": true}}`
+- **400:** index is not a mirror, or the call hit a replica
+- **404:** index doesn't exist
+
 ### Replication observability (primary only)
 
 #### `GET /+admin-api/replicas`

{devpi_admin-1.4.2 → devpi_admin-1.4.4}/README.md

@@ -37,6 +37,10 @@ talks to the standard devpi JSON API directly.
   - **`Tokens`** (owner / root only) — opens the per-index unified Tokens modal with two
     sections (Admin + Devpi), shows existing tokens for this index, lets you issue new
     ones with the index pre-filled and locked
+  - **`Refresh cache`** (mirror indexes only, any authenticated user) — invalidates
+    the in-memory per-project and project-names caches; the next `+simple/<project>/`
+    query (from pip, the UI, or `devpi-client`) goes back to upstream
+    (etag-conditional, cheap)
   - **`Edit`** / **`Delete`** (owner / root)
 - Create / edit / delete indexes via modal dialogs
 - `bases` editor with drag & drop priority ordering and transitive inheritance display
@@ -573,6 +577,30 @@ Revoke a single token.
 - **200:** `{"revoked": true, "id": "abc..."}`
 - **404:** token id not found
 
+### Mirror cache
+
+#### `POST /+admin-api/mirror/{user}/{index}/refresh-cache`
+Invalidate the in-memory mirror caches so the next pip / UI / `devpi-client` request
+re-checks upstream. Lazy — no upstream fetch happens at the moment of the call; the
+re-fetch is triggered by the next `+simple/<project>/` lookup that traverses this
+mirror (etag-conditional, typically one cheap HTTP round-trip per project actually
+queried). Two caches are expired:
+
+- `cache_retrieve_times` — per-project last-fetch timestamp + etag (every tracked
+  project, in one pass)
+- `cache_projectnames` — full PyPI project-name list (refetched on the next "list all
+  projects" call)
+
+Useful when waiting for a freshly-published upstream release that's still hidden
+behind the `mirror_cache_expiry` TTL (default 30 min).
+
+- **Auth:** required (any authenticated user)
+- **Primary only:** replicas return 400 (caches are process-local; replicas sync the
+  persisted state via the changelog stream once the primary refetches)
+- **200:** `{"result": {"projects_invalidated": N, "projectnames_invalidated": true}}`
+- **400:** index is not a mirror, or the call hit a replica
+- **404:** index doesn't exist
+
 ### Replication observability (primary only)
 
 #### `GET /+admin-api/replicas`

{devpi_admin-1.4.2 → devpi_admin-1.4.4}/devpi_admin/_version.py

@@ -18,7 +18,7 @@ version_tuple: tuple[int | str, ...]
 commit_id: str | None
 __commit_id__: str | None
 
-__version__ = version = '1.4.2'
-__version_tuple__ = version_tuple = (1, 4, 2)
+__version__ = version = '1.4.4'
+__version_tuple__ = version_tuple = (1, 4, 4)
 
-__commit_id__ = commit_id = 'g1bf2e00e1'
+__commit_id__ = commit_id = 'g312e747ee'

{devpi_admin-1.4.2 → devpi_admin-1.4.4}/devpi_admin/main.py

@@ -255,6 +255,16 @@ def devpiserver_pyramid_configure(config, pyramid_config):
         _revoke_token_view, route_name="devpi_admin_token_revoke",
         request_method="DELETE")
 
+    # Mirror cache refresh — invalidate per-project retrieve-times and
+    # the project-names list so the next pip request re-fetches upstream.
+    pyramid_config.add_route(
+        "devpi_admin_mirror_refresh_cache",
+        "/+admin-api/mirror/{user}/{index}/refresh-cache")
+    pyramid_config.add_view(
+        _refresh_mirror_cache_view,
+        route_name="devpi_admin_mirror_refresh_cache",
+        request_method="POST")
+
     # Redirect browser visits to "/" to the SPA. Other routes (JSON API
     # calls, CLI requests) pass through untouched because they send
     # Accept: application/json.
@@ -372,32 +382,29 @@ def _versiondata_view(request):
         return HTTPNotFound(json_body={"error": "version not found"})
     # Convert to plain dict with JSON-safe types
     result = _to_json_safe(verdata)
-    # Include file links — filter releaselinks to this version
-    try:
-        all_links = stage.get_releaselinks(project)
-    except Exception:
-        _log.warning(
-            "Failed to get releaselinks for %s/%s/%s",
-            user, index, project, exc_info=True)
-        all_links = []
+    # Build file links from the verdata's own +elinks. Unlike
+    # get_releaselinks() — which reconstructs ELinks from simplelinks
+    # metadata and therefore has no "_log" — these carry the upload
+    # log entries (who/when). Mirror elinks have no "_log" at all;
+    # the "log" key is then simply absent.
     result["+links"] = []
-    for link in all_links:
-        if link.version != version:
+    for linkdict in result.pop("+elinks", None) or []:
+        if linkdict.get("rel") != "releasefile":
             continue
+        entrypath = linkdict.get("entrypath") or ""
+        hashes = linkdict.get("hashes") or {}
+        if hashes.get("sha256"):
+            hash_spec = "sha256=" + hashes["sha256"]
+        else:
+            hash_spec = linkdict.get("hash_spec") or ""
         link_info = {
-            "href": "/" + link.relpath,
-            "basename": link.basename,
-            "hash_spec": link.best_available_hash_spec,
+            "href": "/" + entrypath,
+            "basename": entrypath.rsplit("/", 1)[-1],
+            "hash_spec": hash_spec,
         }
-        try:
-            log = link._log
-            link_info["log"] = [
-                {k: (list(v) if k == "when" else v)
-                 for k, v in entry.items()}
-                for entry in log
-            ]
-        except (AttributeError, TypeError):
-            pass
+        log = linkdict.get("_log")
+        if log:
+            link_info["log"] = log
         result["+links"].append(link_info)
     return _json_response({"result": result})
 
@@ -1415,6 +1422,61 @@ def _revoke_token_view(request):
     return _json_response({"revoked": True, "id": tid})
 
 
+def _refresh_mirror_cache_view(request):
+    """POST /+admin-api/mirror/{user}/{index}/refresh-cache
+
+    Invalidate the in-memory mirror caches so the next pip request goes
+    back to upstream:
+
+    * ``cache_retrieve_times`` — per-project last-fetch timestamp + etag.
+      Expiring forces a conditional GET on the next ``+simple/<project>/``
+      lookup; etag match still reuses the persisted ``PROJSIMPLELINKS``
+      keyfs entry, so the only cost is one HTTP round-trip per project
+      that pip actually queries (we don't pre-fetch).
+    * ``cache_projectnames`` — full PyPI manifest. Expiring forces the
+      next "list all projects" call to refetch (rare path — mostly used
+      by ``pip install <unknown>`` to discover the project exists).
+
+    Caches are process-local: this only works on the primary (the
+    replica's local cache is meaningless to invalidate, and replicas
+    sync persisted state via the changelog stream). Any authenticated
+    user may trigger the refresh — anonymous spam is blocked by auth,
+    upstream-side abuse is bounded by mirror semantics (etag-conditional
+    requests dominate).
+    """
+    xom = request.registry["xom"]
+    _refuse_on_replica(xom)
+    _require_authenticated(request)
+    user = request.matchdict["user"]
+    index = request.matchdict["index"]
+    _validate_name(user, "user")
+    _validate_name(index, "index")
+    with xom.keyfs.read_transaction(allow_reuse=True):
+        stage = xom.model.getstage(user, index)
+        if stage is None:
+            raise HTTPNotFound(
+                json_body={"error": f"index {user}/{index} does not exist"})
+        if stage.ixconfig.get("type") != "mirror":
+            raise HTTPBadRequest(json_body={
+                "error": "cache refresh applies to mirror indexes only"})
+    # `_project2time` is the per-xom singleton dict that backs the
+    # per-project cache; iterating its keys lets us expire only entries
+    # devpi has actually populated. The public `expire(project)` API is
+    # safe for non-tracked projects too (it's pop-with-default), so we
+    # don't need to special-case empty caches.
+    crt = stage.cache_retrieve_times
+    projects = list(getattr(crt, "_project2time", {}).keys())
+    for project in projects:
+        crt.expire(project)
+    stage.cache_projectnames.expire()
+    return _json_response({
+        "result": {
+            "projects_invalidated": len(projects),
+            "projectnames_invalidated": True,
+        },
+    })
+
+
 def _reset_tokens_view(request):
     """DELETE /+admin-api/users/{user}/tokens — revoke all for a user."""
     xom = request.registry["xom"]

{devpi_admin-1.4.2 → devpi_admin-1.4.4}/devpi_admin/static/css/style.css

@@ -428,7 +428,7 @@ body {
 
 .index-grid {
     display: grid;
-    grid-template-columns: repeat(auto-fill, minmax(280px, 1fr));
+    grid-template-columns: repeat(auto-fill, minmax(320px, 1fr));
     gap: 12px;
 }
 
@@ -461,10 +461,19 @@ body {
     gap: 8px;
 }
 
+.index-card-path {
+    display: flex;
+    align-items: baseline;
+    gap: 2px;
+    min-width: 0;
+    flex: 1 1 auto;
+}
+
 .index-card-tags {
     display: flex;
     gap: 4px;
     margin-left: auto;
+    flex-shrink: 0;
 }
 
 .index-card-owner {
@@ -481,7 +490,7 @@ body {
 .index-card-sep {
     font-size: 16px;
     color: var(--text-faint);
-    margin: 0 1px;
+    margin: 0;
 }
 
 .index-card-name {
@@ -1088,6 +1097,44 @@ body {
     color: var(--tag-text);
 }
 
+/* Compact single-letter variant used in index-card heads where the
+   full word (mirror/stage/volatile/...) would push the kebab off the
+   row in narrow grid columns. Hover tooltip (data-tooltip) carries
+   the long form — uses a CSS pseudo so it appears instantly instead
+   of waiting for the browser's native title delay. */
+.tag-letter {
+    padding: 1px 6px;
+    font-size: 11px;
+    font-weight: 700;
+    font-family: var(--mono, ui-monospace, monospace);
+    min-width: 18px;
+    text-align: center;
+    position: relative;
+}
+
+.tag-letter[data-tooltip]:hover::after,
+.tag-letter[data-tooltip]:focus-visible::after {
+    content: attr(data-tooltip);
+    position: absolute;
+    bottom: calc(100% + 6px);
+    left: 50%;
+    transform: translateX(-50%);
+    background: var(--bg-surface);
+    color: var(--text);
+    border: 1px solid var(--border);
+    box-shadow: 0 4px 12px rgba(0, 0, 0, 0.18);
+    padding: 5px 8px;
+    border-radius: 4px;
+    font-size: 12px;
+    font-weight: 400;
+    font-family: inherit;
+    white-space: normal;
+    max-width: 260px;
+    width: max-content;
+    z-index: 100;
+    pointer-events: none;
+}
+
 .tag-volatile {
     background: #fef3c7;
     color: #92400e;
@@ -1532,6 +1579,13 @@ body {
     word-break: break-word;
 }
 
+.pkg-sidebar-text {
+    margin-top: 4px;
+    font-size: 12px;
+    color: var(--text);
+    word-break: break-word;
+}
+
 .pkg-sidebar-list {
     list-style: none;
     margin-top: 4px;
@@ -1644,6 +1698,11 @@ body {
     color: var(--text-faint);
 }
 
+.pkg-card-updated {
+    font-size: 12px;
+    color: var(--text-faint);
+}
+
 /* --- Version cards --- */
 
 .ver-grid {

{devpi_admin-1.4.2 → devpi_admin-1.4.4}/devpi_admin/static/js/app.js

@@ -2421,7 +2421,13 @@
                 closeModal();
                 updateAuthUI();
                 navigate();
-                _triggerPasswordSave(user, pass);
+                // Preserve the current hash through the PRG redirect that
+                // form.submit() to /+admin triggers — otherwise the
+                // browser lands on /+admin/ with no fragment and the
+                // user's original deep link (or the page they were on
+                // when the session expired) is lost.
+                var currentHash = (window.location.hash || '').replace(/^#/, '');
+                _triggerPasswordSave(user, pass, currentHash);
             })
             .catch(showModalError);
     }
@@ -2825,47 +2831,61 @@
 
                 // Card header: name + type badge
                 var cardHead = el('div', {className: 'index-card-head'});
-                cardHead.appendChild(el('a', {
+                // Path container groups owner / sep / name so the only
+                // wide flex gap in the head is between path, tags, and
+                // kebab — the separator hugs both sides like a real
+                // filesystem path.
+                var pathWrap = el('div', {className: 'index-card-path'});
+                pathWrap.appendChild(el('a', {
                     href: '#indexes/' + idx._user,
                     className: 'index-card-owner',
                     textContent: idx._user,
                 }));
-                cardHead.appendChild(el('span', {
+                pathWrap.appendChild(el('span', {
                     className: 'index-card-sep',
                     textContent: '/',
                 }));
-                cardHead.appendChild(el('a', {
+                pathWrap.appendChild(el('a', {
                     href: '#packages/' + idx._full,
                     className: 'index-card-name',
                     textContent: idx._name,
                 }));
+                cardHead.appendChild(pathWrap);
+                // Type / state badges. Single-letter labels (M/S/V/W/N)
+                // keep multi-badge headers from wrapping in tight grids;
+                // `title` exposes the full word on hover for clarity.
                 var tagGroup = el('div', {className: 'index-card-tags'});
                 tagGroup.appendChild(el('span', {
-                    className: 'tag' + (isMirror ? ' tag-mirror' : ' tag-stage'),
-                    textContent: idx.type || 'stage',
+                    className: 'tag tag-letter'
+                        + (isMirror ? ' tag-mirror' : ' tag-stage'),
+                    textContent: isMirror ? 'M' : 'S',
+                    'data-tooltip': idx.type || 'stage',
                 }));
                 if (!isMirror && idx.volatile) {
                     tagGroup.appendChild(el('span', {
-                        className: 'tag tag-volatile',
-                        textContent: 'volatile',
+                        className: 'tag tag-letter tag-volatile',
+                        textContent: 'V',
+                        'data-tooltip': 'volatile — uploads may overwrite '
+                            + 'existing versions',
                     }));
                 }
                 if (!isMirror && isAnonymousAclUpload(idx.acl_upload)) {
                     tagGroup.appendChild(el('span', {
-                        className: 'tag tag-world-writable',
-                        textContent: 'world-writable',
-                        title: 'acl_upload contains :ANONYMOUS: — anyone, '
-                            + 'including unauthenticated callers, can '
-                            + 'publish packages to this index.',
+                        className: 'tag tag-letter tag-world-writable',
+                        textContent: 'W',
+                        'data-tooltip': 'world-writable — acl_upload '
+                            + 'contains :ANONYMOUS:; anyone (including '
+                            + 'unauthenticated callers) can publish to '
+                            + 'this index.',
                     }));
                 } else if (!isMirror && isUploadFrozen(idx.acl_upload)) {
                     tagGroup.appendChild(el('span', {
-                        className: 'tag tag-no-upload',
-                        textContent: 'no upload',
-                        title: 'acl_upload is empty — nobody can publish '
-                            + 'to this index, not even the owner or root. '
-                            + 'Add a principal to acl_upload to enable '
-                            + 'uploads.',
+                        className: 'tag tag-letter tag-no-upload',
+                        textContent: 'N',
+                        'data-tooltip': 'no upload — acl_upload is empty; '
+                            + 'nobody can publish to this index, not even '
+                            + 'the owner or root. Add a principal to '
+                            + 'acl_upload to enable uploads.',
                     }));
                 }
                 cardHead.appendChild(tagGroup);
@@ -2959,6 +2979,22 @@
                         });
                     })(idx);
                 }
+                // Mirror-only: any authenticated user may trigger an
+                // upstream re-fetch (etag-conditional, low cost). Useful
+                // when waiting for a freshly-published upstream release
+                // that's hidden behind the `mirror_cache_expiry` TTL.
+                if (isMirror && loggedIn) {
+                    (function (idxRef) {
+                        menuItems.push({
+                            label: 'Refresh cache',
+                            onclick: function () {
+                                closeAllKebabs();
+                                refreshMirrorCache(
+                                    idxRef._user, idxRef._name);
+                            },
+                        });
+                    })(idx);
+                }
                 if (menuItems.length) {
                     cardHead.appendChild(buildKebabMenu(menuItems));
                 }
@@ -3223,6 +3259,51 @@
             .catch(handleApiError);
     }
 
+    function refreshMirrorCache(user, index) {
+        // Non-destructive: just bumps the upstream-fetch clocks. Skip
+        // the confirm dialog; show a small result modal so the user
+        // knows whether the request reached the primary.
+        Api.post(
+            '/+admin-api/mirror/'
+                + encodeURIComponent(user) + '/'
+                + encodeURIComponent(index) + '/refresh-cache',
+            {})
+            .then(function (data) {
+                var r = (data && data.result) || {};
+                var count = r.projects_invalidated;
+                openModal('Cache refreshed', function (body) {
+                    body.appendChild(el('p', {
+                        textContent: 'Mirror "' + user + '/' + index
+                            + '" cache invalidated. '
+                            + count + ' project'
+                            + (count === 1 ? '' : 's')
+                            + ' will re-check upstream on next access.',
+                    }));
+                    body.appendChild(el('p', {
+                        className: 'note',
+                        textContent: 'Note: cache is process-local; '
+                            + 'replicas will sync once the primary refetches.',
+                    }));
+                }, [el('button', {
+                    className: 'btn btn-primary',
+                    textContent: 'OK',
+                    onclick: closeModal,
+                })]);
+            })
+            .catch(function (err) {
+                openModal('Cache refresh failed', function (body) {
+                    body.appendChild(el('p', {
+                        className: 'error',
+                        textContent: (err && err.message) || String(err),
+                    }));
+                }, [el('button', {
+                    className: 'btn btn-primary',
+                    textContent: 'Close',
+                    onclick: closeModal,
+                })]);
+            });
+    }
+
     // ========== PACKAGES ==========
 
     var PKG_LIMIT = 100;
@@ -3260,6 +3341,18 @@
             Api.get('/' + indexPath + '/' + pkg).then(function (pkgData) {
                 var vers = Object.keys(pkgData.result).sort(compareVersions);
                 versionEl.textContent = vers.length ? 'v' + vers[0] : 'no versions';
+                // Last update across all versions of the package
+                var best = null;
+                for (var i = 0; i < vers.length; i++) {
+                    var w = lastLogWhen(pkgData.result[vers[i]]['+links']);
+                    if (w && (!best || cmpLogWhen(w, best) > 0)) best = w;
+                }
+                if (best) {
+                    card.appendChild(el('div', {
+                        className: 'pkg-card-updated',
+                        textContent: 'Updated ' + formatLogWhen(best),
+                    }));
+                }
             }).catch(function () {
                 versionEl.textContent = '';
             });
@@ -3518,7 +3611,22 @@
             content.appendChild(el('div', {className: 'view-header'}, [
                 buildBreadcrumb(indexPath, [
                     ' / ',
-                    el('a', {href: '#package/' + indexPath + '/' + pkg, textContent: pkg}),
+                    el('a', {
+                        href: '#package/' + indexPath + '/' + pkg,
+                        textContent: pkg,
+                        onclick: function (e) {
+                            // Same-hash click fires no hashchange event —
+                            // force a reload of the package detail.
+                            if (e.metaKey || e.ctrlKey || e.shiftKey) return;
+                            e.preventDefault();
+                            var target = '#package/' + indexPath + '/' + pkg;
+                            if (window.location.hash !== target) {
+                                _skipHashChange = true;
+                                window.location.hash = target;
+                            }
+                            loadPackageDetail(indexPath, pkg);
+                        },
+                    }),
                     ' ',
                     el('span', {className: 'page-heading-version', textContent: 'v' + currentVer}),
                 ]),
@@ -3555,6 +3663,18 @@
                 }));
             }
 
+            var uploadedWhen = lastLogWhen(info['+links']);
+            if (uploadedWhen) {
+                infoCard.appendChild(el('div', {
+                    className: 'pkg-sidebar-label',
+                    textContent: 'Uploaded',
+                }));
+                infoCard.appendChild(el('div', {
+                    className: 'pkg-sidebar-text',
+                    textContent: formatLogWhen(uploadedWhen),
+                }));
+            }
+
             var infoRows = [];
             if (info.requires_python) infoRows.push(['Python', info.requires_python]);
             var license = info.license_expression || info.license;
@@ -3655,9 +3775,7 @@
                     var dateStr = '';
                     if (link.log && link.log.length) {
                         var log = link.log[0];
-                        var when = log.when;
-                        dateStr = when[0] + '-' + pad(when[1]) + '-' + pad(when[2]) + ' ' +
-                            pad(when[3]) + ':' + pad(when[4]);
+                        dateStr = formatLogWhen(log.when);
                         if (log.who) dateStr = log.who + ', ' + dateStr;
                     }
                     if (dateStr && dateStr !== lastDate) {
@@ -3839,6 +3957,36 @@
         return n < 10 ? '0' + n : '' + n;
     }
 
+    function formatLogWhen(when) {
+        // keyfs link log 'when' is a UTC tuple [Y, M, D, h, m, s]
+        return when[0] + '-' + pad(when[1]) + '-' + pad(when[2]) + ' ' +
+            pad(when[3]) + ':' + pad(when[4]);
+    }
+
+    function cmpLogWhen(a, b) {
+        for (var i = 0; i < a.length && i < b.length; i++) {
+            if (a[i] !== b[i]) return a[i] - b[i];
+        }
+        return 0;
+    }
+
+    function lastLogWhen(links) {
+        // Latest log timestamp across release links — upload, push and
+        // overwrite entries all represent a content update. Mirror links
+        // carry no log → returns null.
+        var best = null;
+        for (var i = 0; i < (links || []).length; i++) {
+            var log = links[i].log || [];
+            for (var j = 0; j < log.length; j++) {
+                var when = log[j].when;
+                if (when && (!best || cmpLogWhen(when, best) > 0)) {
+                    best = when;
+                }
+            }
+        }
+        return best;
+    }
+
     var _preReleaseOrder = {dev: 0, a: 1, alpha: 1, b: 2, beta: 2, rc: 3, c: 3};
 
     function _parseVersion(v) {

{devpi_admin-1.4.2 → devpi_admin-1.4.4}/devpi_admin.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devpi-admin
-Version: 1.4.2
+Version: 1.4.4
 Summary: Modern web UI plugin for devpi-server — drop-in replacement for devpi-web
 Author-email: Pavel Revak <pavelrevak@gmail.com>
 License: MIT
@@ -61,6 +61,10 @@ talks to the standard devpi JSON API directly.
   - **`Tokens`** (owner / root only) — opens the per-index unified Tokens modal with two
     sections (Admin + Devpi), shows existing tokens for this index, lets you issue new
     ones with the index pre-filled and locked
+  - **`Refresh cache`** (mirror indexes only, any authenticated user) — invalidates
+    the in-memory per-project and project-names caches; the next `+simple/<project>/`
+    query (from pip, the UI, or `devpi-client`) goes back to upstream
+    (etag-conditional, cheap)
   - **`Edit`** / **`Delete`** (owner / root)
 - Create / edit / delete indexes via modal dialogs
 - `bases` editor with drag & drop priority ordering and transitive inheritance display
@@ -597,6 +601,30 @@ Revoke a single token.
 - **200:** `{"revoked": true, "id": "abc..."}`
 - **404:** token id not found
 
+### Mirror cache
+
+#### `POST /+admin-api/mirror/{user}/{index}/refresh-cache`
+Invalidate the in-memory mirror caches so the next pip / UI / `devpi-client` request
+re-checks upstream. Lazy — no upstream fetch happens at the moment of the call; the
+re-fetch is triggered by the next `+simple/<project>/` lookup that traverses this
+mirror (etag-conditional, typically one cheap HTTP round-trip per project actually
+queried). Two caches are expired:
+
+- `cache_retrieve_times` — per-project last-fetch timestamp + etag (every tracked
+  project, in one pass)
+- `cache_projectnames` — full PyPI project-name list (refetched on the next "list all
+  projects" call)
+
+Useful when waiting for a freshly-published upstream release that's still hidden
+behind the `mirror_cache_expiry` TTL (default 30 min).
+
+- **Auth:** required (any authenticated user)
+- **Primary only:** replicas return 400 (caches are process-local; replicas sync the
+  persisted state via the changelog stream once the primary refetches)
+- **200:** `{"result": {"projects_invalidated": N, "projectnames_invalidated": true}}`
+- **400:** index is not a mirror, or the call hit a replica
+- **404:** index doesn't exist
+
 ### Replication observability (primary only)
 
 #### `GET /+admin-api/replicas`

devpi_admin-1.4.4/tests/test_view_helpers.py

@@ -0,0 +1,229 @@
+"""Tests for view-layer helpers (_get_stage_or_404, _check_read_access)."""
+import json
+import unittest
+from unittest.mock import MagicMock, patch
+
+from pyramid.httpexceptions import HTTPBadRequest, HTTPForbidden, HTTPNotFound
+
+from devpi_admin.main import (
+    _check_read_access, _get_stage_or_404, _refresh_mirror_cache_view,
+    _serve_index, _versiondata_view)
+
+
+class GetStageOr404Tests(unittest.TestCase):
+
+    def test_returns_stage(self):
+        xom = MagicMock()
+        stage = MagicMock()
+        xom.model.getstage.return_value = stage
+        self.assertIs(_get_stage_or_404(xom, "alice", "dev"), stage)
+
+    def test_raises_404_when_missing(self):
+        xom = MagicMock()
+        xom.model.getstage.return_value = None
+        with self.assertRaises(HTTPNotFound):
+            _get_stage_or_404(xom, "ghost", "ix")
+
+
+class CheckReadAccessTests(unittest.TestCase):
+
+    def _make(self, allow, auth_user):
+        req = MagicMock()
+        req.has_permission.return_value = allow
+        req.authenticated_userid = auth_user
+        return req
+
+    def test_allowed_returns_none(self):
+        # Should silently pass — no exception, no return value relied upon.
+        self.assertIsNone(
+            _check_read_access(self._make(True, "alice"), MagicMock()))
+
+    def test_denied_anonymous_gets_403(self):
+        # Anonymous denial returns 403 so devpi-cli / pip can retry with auth.
+        with self.assertRaises(HTTPForbidden):
+            _check_read_access(self._make(False, None), MagicMock())
+
+    def test_denied_authenticated_gets_404(self):
+        # Authenticated user without read access gets 404 — hides the
+        # existence of the private index.
+        with self.assertRaises(HTTPNotFound):
+            _check_read_access(self._make(False, "bob"), MagicMock())
+
+
+class ServeIndexTests(unittest.TestCase):
+
+    def _serve(self):
+        # FileResponse needs a real file on disk; STATIC_DIR/index.html
+        # is bundled and exists in test runs (verified by test_package).
+        request = MagicMock()
+        return _serve_index(request)
+
+    def test_csp_header_present(self):
+        resp = self._serve()
+        csp = resp.headers.get("Content-Security-Policy", "")
+        self.assertIn("default-src 'self'", csp)
+        self.assertIn("frame-ancestors 'none'", csp)
+        self.assertIn("script-src 'self'", csp)
+        # inline script must NOT be allowed
+        self.assertNotIn("'unsafe-inline'", csp.split("script-src")[1].split(";")[0])
+
+    def test_csp_allows_pypi_for_readme_fallback(self):
+        resp = self._serve()
+        csp = resp.headers.get("Content-Security-Policy", "")
+        self.assertIn("https://pypi.org", csp)
+
+    def test_security_headers_present(self):
+        resp = self._serve()
+        self.assertEqual(resp.headers.get("X-Content-Type-Options"), "nosniff")
+        self.assertEqual(resp.headers.get("Referrer-Policy"), "no-referrer")
+
+
+class RefreshMirrorCacheViewTests(unittest.TestCase):
+
+    def _stub_xom(self, stage=None, is_replica=False):
+        xom = MagicMock()
+        xom.config.role = "replica" if is_replica else "primary"
+        xom.model.getstage.return_value = stage
+        ctx = MagicMock()
+        ctx.__enter__ = MagicMock(return_value=ctx)
+        ctx.__exit__ = MagicMock(return_value=False)
+        xom.keyfs.read_transaction.return_value = ctx
+        return xom
+
+    def _stub_mirror_stage(self, tracked_projects=("setuptools", "pip")):
+        stage = MagicMock()
+        stage.ixconfig = {"type": "mirror"}
+        stage.cache_retrieve_times._project2time = {
+            p: (1.0, None) for p in tracked_projects}
+        stage.cache_retrieve_times.expire = MagicMock()
+        stage.cache_projectnames.expire = MagicMock()
+        return stage
+
+    def _make(self, xom, user="root", index="pypi", auth_user="alice"):
+        req = MagicMock()
+        req.registry = {"xom": xom}
+        req.matchdict = {"user": user, "index": index}
+        req.authenticated_userid = auth_user
+        return req
+
+    def test_expires_all_tracked_projects_and_projectnames(self):
+        stage = self._stub_mirror_stage(("setuptools", "pip", "wheel"))
+        xom = self._stub_xom(stage=stage)
+        with patch("devpi_admin.main._is_replica", return_value=False):
+            resp = _refresh_mirror_cache_view(self._make(xom))
+        body = json.loads(resp.body)
+        self.assertEqual(body["result"]["projects_invalidated"], 3)
+        self.assertTrue(body["result"]["projectnames_invalidated"])
+        # Every tracked project must have been expired exactly once;
+        # the project-names cache must be expired regardless.
+        self.assertEqual(stage.cache_retrieve_times.expire.call_count, 3)
+        stage.cache_projectnames.expire.assert_called_once_with()
+
+    def test_404_when_index_missing(self):
+        xom = self._stub_xom(stage=None)
+        with patch("devpi_admin.main._is_replica", return_value=False):
+            with self.assertRaises(HTTPNotFound):
+                _refresh_mirror_cache_view(self._make(xom))
+
+    def test_400_when_index_is_not_mirror(self):
+        stage = MagicMock()
+        stage.ixconfig = {"type": "stage"}
+        xom = self._stub_xom(stage=stage)
+        with patch("devpi_admin.main._is_replica", return_value=False):
+            with self.assertRaises(HTTPBadRequest):
+                _refresh_mirror_cache_view(self._make(xom))
+
+    def test_replica_refuses(self):
+        xom = self._stub_xom(stage=self._stub_mirror_stage())
+        with patch("devpi_admin.main._is_replica", return_value=True):
+            with self.assertRaises(HTTPBadRequest):
+                _refresh_mirror_cache_view(self._make(xom))
+
+    def test_unauthenticated_blocked(self):
+        xom = self._stub_xom(stage=self._stub_mirror_stage())
+        with patch("devpi_admin.main._is_replica", return_value=False):
+            with self.assertRaises(HTTPForbidden):
+                _refresh_mirror_cache_view(
+                    self._make(xom, auth_user=None))
+
+
+class VersiondataViewTests(unittest.TestCase):
+    """+links must be built from verdata +elinks (which carry _log).
+
+    Regression: get_releaselinks() reconstructs ELinks from simplelinks
+    metadata without "_log", so the upload timestamps never reached the
+    response when the view used it.
+    """
+
+    def _make(self, verdata):
+        stage = MagicMock()
+        stage.get_versiondata.return_value = verdata
+        xom = MagicMock()
+        xom.model.getstage.return_value = stage
+        req = MagicMock()
+        req.registry = {"xom": xom}
+        req.matchdict = {
+            "user": "alice", "index": "dev",
+            "project": "testpkg", "version": "1.0"}
+        req.has_permission.return_value = True
+        req.authenticated_userid = "alice"
+        return req
+
+    def test_links_carry_upload_log(self):
+        verdata = {
+            "name": "testpkg", "version": "1.0",
+            "+elinks": [
+                {
+                    "rel": "releasefile",
+                    "entrypath": "alice/dev/+f/b28/abc/testpkg-1.0.tar.gz",
+                    "hash_spec": "md5=deadbeef",
+                    "hashes": {"sha256": "cafe"},
+                    "_log": [{
+                        "what": "upload", "who": "alice",
+                        "when": (2026, 6, 5, 8, 10, 44),
+                        "dst": "alice/dev"}],
+                },
+                {
+                    # non-releasefile links must be filtered out
+                    "rel": "toxresult",
+                    "entrypath": "alice/dev/+f/123/tox.json",
+                },
+            ],
+        }
+        body = json.loads(_versiondata_view(self._make(verdata)).body)
+        result = body["result"]
+        self.assertNotIn("+elinks", result)
+        self.assertEqual(len(result["+links"]), 1)
+        link = result["+links"][0]
+        self.assertEqual(
+            link["href"], "/alice/dev/+f/b28/abc/testpkg-1.0.tar.gz")
+        self.assertEqual(link["basename"], "testpkg-1.0.tar.gz")
+        self.assertEqual(link["hash_spec"], "sha256=cafe")
+        self.assertEqual(link["log"][0]["when"], [2026, 6, 5, 8, 10, 44])
+        self.assertEqual(link["log"][0]["who"], "alice")
+
+    def test_mirror_links_without_log(self):
+        # Mirror elinks carry no "_log" — the "log" key must be absent,
+        # not present-but-empty.
+        verdata = {
+            "name": "testpkg", "version": "1.0",
+            "+elinks": [{
+                "rel": "releasefile",
+                "entrypath": "root/pypi/+f/abc/testpkg-1.0.tar.gz",
+                "hash_spec": "md5=deadbeef",
+                "hashes": {},
+            }],
+        }
+        body = json.loads(_versiondata_view(self._make(verdata)).body)
+        link = body["result"]["+links"][0]
+        self.assertNotIn("log", link)
+        self.assertEqual(link["hash_spec"], "md5=deadbeef")
+
+    def test_no_elinks_yields_empty_links(self):
+        verdata = {"name": "testpkg", "version": "1.0"}
+        body = json.loads(_versiondata_view(self._make(verdata)).body)
+        self.assertEqual(body["result"]["+links"], [])
+
+
+if __name__ == "__main__":
+    unittest.main()

devpi_admin-1.4.2/tests/test_view_helpers.py

@@ -1,79 +0,0 @@
-"""Tests for view-layer helpers (_get_stage_or_404, _check_read_access)."""
-import unittest
-from unittest.mock import MagicMock, patch
-
-from pyramid.httpexceptions import HTTPForbidden, HTTPNotFound
-
-from devpi_admin.main import _check_read_access, _get_stage_or_404, _serve_index
-
-
-class GetStageOr404Tests(unittest.TestCase):
-
-    def test_returns_stage(self):
-        xom = MagicMock()
-        stage = MagicMock()
-        xom.model.getstage.return_value = stage
-        self.assertIs(_get_stage_or_404(xom, "alice", "dev"), stage)
-
-    def test_raises_404_when_missing(self):
-        xom = MagicMock()
-        xom.model.getstage.return_value = None
-        with self.assertRaises(HTTPNotFound):
-            _get_stage_or_404(xom, "ghost", "ix")
-
-
-class CheckReadAccessTests(unittest.TestCase):
-
-    def _make(self, allow, auth_user):
-        req = MagicMock()
-        req.has_permission.return_value = allow
-        req.authenticated_userid = auth_user
-        return req
-
-    def test_allowed_returns_none(self):
-        # Should silently pass — no exception, no return value relied upon.
-        self.assertIsNone(
-            _check_read_access(self._make(True, "alice"), MagicMock()))
-
-    def test_denied_anonymous_gets_403(self):
-        # Anonymous denial returns 403 so devpi-cli / pip can retry with auth.
-        with self.assertRaises(HTTPForbidden):
-            _check_read_access(self._make(False, None), MagicMock())
-
-    def test_denied_authenticated_gets_404(self):
-        # Authenticated user without read access gets 404 — hides the
-        # existence of the private index.
-        with self.assertRaises(HTTPNotFound):
-            _check_read_access(self._make(False, "bob"), MagicMock())
-
-
-class ServeIndexTests(unittest.TestCase):
-
-    def _serve(self):
-        # FileResponse needs a real file on disk; STATIC_DIR/index.html
-        # is bundled and exists in test runs (verified by test_package).
-        request = MagicMock()
-        return _serve_index(request)
-
-    def test_csp_header_present(self):
-        resp = self._serve()
-        csp = resp.headers.get("Content-Security-Policy", "")
-        self.assertIn("default-src 'self'", csp)
-        self.assertIn("frame-ancestors 'none'", csp)
-        self.assertIn("script-src 'self'", csp)
-        # inline script must NOT be allowed
-        self.assertNotIn("'unsafe-inline'", csp.split("script-src")[1].split(";")[0])
-
-    def test_csp_allows_pypi_for_readme_fallback(self):
-        resp = self._serve()
-        csp = resp.headers.get("Content-Security-Policy", "")
-        self.assertIn("https://pypi.org", csp)
-
-    def test_security_headers_present(self):
-        resp = self._serve()
-        self.assertEqual(resp.headers.get("X-Content-Type-Options"), "nosniff")
-        self.assertEqual(resp.headers.get("Referrer-Policy"), "no-referrer")
-
-
-if __name__ == "__main__":
-    unittest.main()