pulp-python 3.20.0__tar.gz → 3.21.0__tar.gz

{pulp_python-3.20.0 → pulp_python-3.21.0}/CHANGES.md

@@ -8,6 +8,24 @@
 
 [//]: # (towncrier release notes start)
 
+## 3.21.0 (2025-11-18) {: #3.21.0 }
+
+#### Features {: #3.21.0-feature }
+
+- Added ability to serve a specific repository version of a PyPI index.
+  [#982](https://github.com/pulp/pulp_python/issues/982)
+- Implemented PEP 700 support, adding `versions`, `size` and `upload-time` to the Simple JSON API.
+  [#996](https://github.com/pulp/pulp_python/issues/996)
+- Added the new /scan endpoint to the RepositoryVersion viewset to generate vulnerability reports.
+  [#1012](https://github.com/pulp/pulp_python/issues/1012)
+
+#### Bugfixes {: #3.21.0-bugfix }
+
+- Fixed pull-through caching not checking the repository if package was not present on remote.
+  [#1004](https://github.com/pulp/pulp_python/issues/1004)
+
+---
+
 ## 3.20.0 (2025-11-07) {: #3.20.0 }
 
 #### Features {: #3.20.0-feature }

{pulp_python-3.20.0 → pulp_python-3.21.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulp-python
-Version: 3.20.0
+Version: 3.21.0
 Summary: pulp-python plugin for the Pulp Project
 Author-email: Pulp Team <pulp-list@redhat.com>
 Project-URL: Homepage, https://pulpproject.org
@@ -20,9 +20,9 @@ Classifier: Programming Language :: Python :: 3.13
 Requires-Python: >=3.11
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: pulpcore<3.100,>=3.81.0
+Requires-Dist: pulpcore<3.100,>=3.85.3
 Requires-Dist: pkginfo<1.13.0,>=1.12.0
-Requires-Dist: bandersnatch<6.6,>=6.3.0
+Requires-Dist: bandersnatch<6.7,>=6.6.0
 Requires-Dist: pypi-simple<2.0,>=1.5.0
 Dynamic: license-file
 

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python/app/__init__.py

@@ -10,7 +10,7 @@ class PulpPythonPluginAppConfig(PulpPluginAppConfig):
 
     name = "pulp_python.app"
     label = "python"
-    version = "3.20.0"
+    version = "3.21.0"
     python_package_name = "pulp-python"
     domain_compatible = True
 

pulp_python-3.21.0/pulp_python/app/migrations/0017_pythonpackagecontent_size.py

@@ -0,0 +1,50 @@
+# Generated by Django 4.2.26 on 2025-11-11 21:43
+
+from django.db import migrations, models, transaction
+
+
+def add_size_to_current_models(apps, schema_editor):
+    """Adds the size to current PythonPackageContent models."""
+    PythonPackageContent = apps.get_model("python", "PythonPackageContent")
+    RemoteArtifact = apps.get_model("core", "RemoteArtifact")
+    package_bulk = []
+    for python_package in PythonPackageContent.objects.only("pk", "size").iterator():
+        content_artifact = python_package.contentartifact_set.first()
+        if content_artifact.artifact:
+            artifact = content_artifact.artifact
+        else:
+            artifact = RemoteArtifact.objects.filter(content_artifact=content_artifact).first()
+        python_package.size = artifact.size or 0
+        package_bulk.append(python_package)
+        if len(package_bulk) == 100000:
+            with transaction.atomic():
+                PythonPackageContent.objects.bulk_update(
+                    package_bulk,
+                    [
+                        "size",
+                    ],
+                )
+                package_bulk = []
+    with transaction.atomic():
+        PythonPackageContent.objects.bulk_update(
+            package_bulk,
+            [
+                "size",
+            ],
+        )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("python", "0016_pythonpackagecontent_metadata_sha256"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="pythonpackagecontent",
+            name="size",
+            field=models.BigIntegerField(default=0),
+        ),
+        migrations.RunPython(add_size_to_current_models, migrations.RunPython.noop, elidable=True),
+    ]

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python/app/models.py

@@ -193,6 +193,7 @@ class PythonPackageContent(Content):
     python_version = models.TextField()
     sha256 = models.CharField(db_index=True, max_length=64)
     metadata_sha256 = models.CharField(max_length=64, null=True)
+    size = models.BigIntegerField(default=0)
     # yanked and yanked_reason are not implemented because they are mutable
 
     # From pulpcore

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python/app/pypi/views.py

@@ -15,6 +15,7 @@ from django.db import transaction
 from django.db.utils import DatabaseError
 from django.http.response import (
     Http404,
+    HttpResponseNotFound,
     HttpResponseForbidden,
     HttpResponseBadRequest,
     StreamingHttpResponse,
@@ -104,10 +105,13 @@ class PyPIMixin:
         """Finds the repository version this distribution is serving."""
         pub = distribution.publication
         rep = distribution.repository
+        rep_version = distribution.repository_version
         if pub:
             return pub.repository_version or pub.repository.latest_version()
         elif rep:
             return rep.latest_version()
+        elif rep_version:
+            return rep_version
         else:
             raise Http404("No repository associated with this index")
 
@@ -287,7 +291,7 @@ class SimpleView(PackageUploadMixin, ViewSet):
             kwargs = {"content_type": media_type, "headers": headers}
             return StreamingHttpResponse(index_data, **kwargs)
 
-    def pull_through_package_simple(self, package, path, remote, media_type):
+    def pull_through_package_simple(self, package, path, remote):
         """Gets the package's simple page from remote."""
 
         def parse_package(release_package):
@@ -301,11 +305,14 @@ class SimpleView(PackageUploadMixin, ViewSet):
                 "sha256": release_package.digests.get("sha256", ""),
                 "requires_python": release_package.requires_python,
                 "metadata_sha256": (release_package.metadata_digests or {}).get("sha256"),
+                "size": release_package.size,
+                "upload_time": release_package.upload_time,
+                "version": release_package.version,
             }
 
         rfilter = get_remote_package_filter(remote)
         if not rfilter.filter_project(package):
-            raise Http404(f"{package} does not exist.")
+            return {}
 
         url = remote.get_remote_artifact_url(f"simple/{package}/")
         remote.headers = remote.headers or []
@@ -313,27 +320,19 @@ class SimpleView(PackageUploadMixin, ViewSet):
         downloader = remote.get_downloader(url=url, max_retries=1)
         try:
             d = downloader.fetch()
-        except ClientError:
-            return HttpResponse(f"Failed to fetch {package} from {remote.url}.", status=502)
-        except TimeoutException:
-            return HttpResponse(f"{remote.url} timed out while fetching {package}.", status=504)
+        except (ClientError, TimeoutException):
+            log.info(f"Failed to fetch {package} simple page from {remote.url}")
+            return {}
 
         if d.headers["content-type"] == PYPI_SIMPLE_V1_JSON:
             page = ProjectPage.from_json_data(json.load(open(d.path, "rb")), base_url=url)
         else:
             page = ProjectPage.from_html(package, open(d.path, "rb").read(), base_url=url)
-        packages = [
-            parse_package(p) for p in page.packages if rfilter.filter_release(package, p.version)
-        ]
-        headers = {"X-PyPI-Last-Serial": str(PYPI_SERIAL_CONSTANT)}
-
-        if media_type == PYPI_SIMPLE_V1_JSON:
-            detail_data = write_simple_detail_json(package, packages)
-            return Response(detail_data, headers=headers)
-        else:
-            detail_data = write_simple_detail(package, packages)
-            kwargs = {"content_type": media_type, "headers": headers}
-            return HttpResponse(detail_data, **kwargs)
+        return {
+            p.filename: parse_package(p)
+            for p in page.packages
+            if rfilter.filter_release(package, p.version)
+        }
 
     @extend_schema(operation_id="pypi_simple_package_read", summary="Get package simple page")
     def retrieve(self, request, path, package):
@@ -343,44 +342,43 @@ class SimpleView(PackageUploadMixin, ViewSet):
         repo_ver, content = self.get_rvc()
         # Should I redirect if the normalized name is different?
         normalized = canonicalize_name(package)
+        releases = {}
         if self.distribution.remote:
-            return self.pull_through_package_simple(
-                normalized, path, self.distribution.remote, media_type
-            )
-        if self.should_redirect(repo_version=repo_ver):
+            releases = self.pull_through_package_simple(normalized, path, self.distribution.remote)
+        elif self.should_redirect(repo_version=repo_ver):
             return redirect(urljoin(self.base_content_url, f"{path}/simple/{normalized}/"))
-        packages = (
-            content.filter(name__normalize=normalized)
-            .values_list("filename", "sha256", "name", "metadata_sha256", "requires_python")
-            .iterator()
-        )
-        try:
-            present = next(packages)
-        except StopIteration:
-            raise Http404(f"{normalized} does not exist.")
-        else:
-            packages = chain([present], packages)
-            name = present[2]
-        releases = (
-            {
-                "filename": filename,
-                "url": urljoin(self.base_content_url, f"{path}/{filename}"),
-                "sha256": sha256,
-                "metadata_sha256": metadata_sha256,
-                "requires_python": requires_python,
+        if content:
+            packages = content.filter(name__normalize=normalized).values(
+                "filename",
+                "sha256",
+                "metadata_sha256",
+                "requires_python",
+                "size",
+                "pulp_created",
+                "version",
+            )
+            local_releases = {
+                p["filename"]: {
+                    **p,
+                    "url": urljoin(self.base_content_url, f"{path}/{p['filename']}"),
+                    "upload_time": p["pulp_created"],
+                }
+                for p in packages
             }
-            for filename, sha256, _, metadata_sha256, requires_python in packages
-        )
+            releases.update(local_releases)
+        if not releases:
+            return HttpResponseNotFound(f"{normalized} does not exist.")
+
         media_type = request.accepted_renderer.media_type
         headers = {"X-PyPI-Last-Serial": str(PYPI_SERIAL_CONSTANT)}
 
         if media_type == PYPI_SIMPLE_V1_JSON:
-            detail_data = write_simple_detail_json(name, releases)
+            detail_data = write_simple_detail_json(normalized, releases.values())
             return Response(detail_data, headers=headers)
         else:
-            detail_data = write_simple_detail(name, releases, streamed=True)
+            detail_data = write_simple_detail(normalized, releases.values())
             kwargs = {"content_type": media_type, "headers": headers}
-            return StreamingHttpResponse(detail_data, **kwargs)
+            return HttpResponse(detail_data, **kwargs)
 
     @extend_schema(
         request=PackageUploadSerializer,

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python/app/serializers.py

@@ -53,6 +53,9 @@ class PythonDistributionSerializer(core_serializers.DistributionSerializer):
         queryset=core_models.Publication.objects.exclude(complete=False),
         allow_null=True,
     )
+    repository_version = core_serializers.RepositoryVersionRelatedField(
+        required=False, help_text=_("RepositoryVersion to be served."), allow_null=True
+    )
     base_url = serializers.SerializerMethodField(read_only=True)
     allow_uploads = serializers.BooleanField(
         default=True, help_text=_("Allow packages to be uploaded to this index.")
@@ -74,6 +77,7 @@ class PythonDistributionSerializer(core_serializers.DistributionSerializer):
     class Meta:
         fields = core_serializers.DistributionSerializer.Meta.fields + (
             "publication",
+            "repository_version",
             "allow_uploads",
             "remote",
         )
@@ -277,6 +281,10 @@ class PythonPackageContentSerializer(core_serializers.SingleArtifactContentUploa
         ),
         read_only=True,
     )
+    size = serializers.IntegerField(
+        help_text=_("The size of the package in bytes."),
+        read_only=True,
+    )
     sha256 = serializers.CharField(
         default="",
         help_text=_("The SHA256 digest of this package."),
@@ -368,6 +376,7 @@ class PythonPackageContentSerializer(core_serializers.SingleArtifactContentUploa
             "filename",
             "packagetype",
             "python_version",
+            "size",
             "sha256",
             "metadata_sha256",
         )
@@ -421,6 +430,7 @@ class PythonPackageContentUploadSerializer(PythonPackageContentSerializer):
         data["artifact"] = artifact
         data["sha256"] = artifact.sha256
         data["relative_path"] = filename
+        data["size"] = artifact.size
         data.update(parse_project_metadata(vars(metadata)))
         # Overwrite filename from metadata
         data["filename"] = filename

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python/app/tasks/__init__.py

@@ -6,3 +6,4 @@ from .publish import publish  # noqa:F401
 from .repair import repair  # noqa:F401
 from .sync import sync  # noqa:F401
 from .upload import upload, upload_group  # noqa:F401
+from .vulnerability_report import get_repo_version_content  # noqa:F401

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python/app/tasks/sync.py

@@ -59,9 +59,10 @@ def sync(remote_pk, repository_pk, mirror):
 
 def create_bandersnatch_config(remote):
     """Modifies the global Bandersnatch config state for this sync"""
-    config = BandersnatchConfig().config
+    config = BandersnatchConfig()
     config["mirror"]["master"] = remote.url
     config["mirror"]["workers"] = str(remote.download_concurrency)
+    config["mirror"]["allow_non_https"] = "true"
     if not config.has_section("plugins"):
         config.add_section("plugins")
     config["plugins"]["enabled"] = "blocklist_release\n"

pulp_python-3.21.0/pulp_python/app/tasks/vulnerability_report.py

@@ -0,0 +1,30 @@
+from pulpcore.plugin.models import RepositoryVersion
+from pulpcore.plugin.sync import sync_to_async_iterable
+
+from pulp_python.app.models import PythonPackageContent
+
+
+async def get_repo_version_content(repo_version_pk: str):
+    """
+    Retrieve Python package content from a repository version for vulnerability scanning.
+    """
+    repo_version = await RepositoryVersion.objects.aget(pk=repo_version_pk)
+    content_units = PythonPackageContent.objects.filter(pk__in=repo_version.content).only(
+        "name", "version"
+    )
+    ecosystem = "PyPI"
+    async for content in sync_to_async_iterable(content_units):
+        repo_content_osv_data = _build_osv_data(content.name, ecosystem, content.version)
+        repo_content_osv_data["repo_version"] = repo_version
+        repo_content_osv_data["content"] = content
+        yield repo_content_osv_data
+
+
+def _build_osv_data(name, ecosystem, version=None):
+    """
+    Build an OSV data structure for vulnerability queries.
+    """
+    osv_data = {"package": {"name": name, "ecosystem": ecosystem}}
+    if version:
+        osv_data["version"] = version
+    return osv_data

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python/app/utils.py

@@ -7,6 +7,7 @@ import zipfile
 import json
 from collections import defaultdict
 from django.conf import settings
+from django.utils import timezone
 from jinja2 import Template
 from packaging.utils import canonicalize_name
 from packaging.requirements import Requirement
@@ -18,7 +19,7 @@ PYPI_LAST_SERIAL = "X-PYPI-LAST-SERIAL"
 """TODO This serial constant is temporary until Python repositories implements serials"""
 PYPI_SERIAL_CONSTANT = 1000000000
 
-SIMPLE_API_VERSION = "1.0"
+SIMPLE_API_VERSION = "1.1"
 
 simple_index_template = """<!DOCTYPE html>
 <html>
@@ -161,6 +162,7 @@ def parse_metadata(project, version, distribution):
     package["sha256"] = distribution.get("digests", {}).get("sha256") or ""
     package["python_version"] = distribution.get("python_version") or ""
     package["requires_python"] = distribution.get("requires_python") or ""
+    package["size"] = distribution.get("size") or 0
 
     return package
 
@@ -223,6 +225,7 @@ def artifact_to_python_content_data(filename, artifact, domain=None):
         metadata = get_project_metadata_from_file(temp_file.name)
     data = parse_project_metadata(vars(metadata))
     data["sha256"] = artifact.sha256
+    data["size"] = artifact.size
     data["filename"] = filename
     data["pulp_domain"] = domain or artifact.pulp_domain
     data["_pulp_domain"] = data["pulp_domain"]
@@ -403,7 +406,6 @@ def python_content_to_download_info(content, base_path, domain=None):
         components.insert(2, domain.name)
     url = "/".join(components)
     md5 = artifact.md5 if artifact and artifact.md5 else ""
-    size = artifact.size if artifact and artifact.size else 0
     return {
         "comment_text": "",
         "digests": {"md5": md5, "sha256": content.sha256},
@@ -414,7 +416,7 @@ def python_content_to_download_info(content, base_path, domain=None):
         "packagetype": content.packagetype,
         "python_version": content.python_version,
         "requires_python": content.requires_python or None,
-        "size": size,
+        "size": content.size,
         "upload_time": str(content.pulp_created),
         "upload_time_iso_8601": str(content.pulp_created.isoformat()),
         "url": url,
@@ -471,20 +473,32 @@ def write_simple_detail_json(project_name, project_packages):
                     {"sha256": package["metadata_sha256"]} if package["metadata_sha256"] else False
                 ),
                 # yanked and yanked_reason are not implemented because they are mutable
+                # (v1.1, PEP 700)
+                "size": package["size"],
+                "upload-time": format_upload_time(package["upload_time"]),
                 # TODO in the future:
-                # size, upload-time (v1.1, PEP 700)
                 # core-metadata (PEP 7.14)
                 # provenance (v1.3, PEP 740)
             }
             for package in project_packages
         ],
+        # (v1.1, PEP 700)
+        "versions": sorted(set(package["version"] for package in project_packages)),
         # TODO in the future:
-        # versions (v1.1, PEP 700)
         # alternate-locations (v1.2, PEP 708)
         # project-status (v1.4, PEP 792 - pypi and docs differ)
     }
 
 
+def format_upload_time(upload_time):
+    """Formats the upload time to be in Zulu time. UTC with Z suffix"""
+    if upload_time:
+        if upload_time.tzinfo:
+            dt = upload_time.astimezone(timezone.utc)
+            return dt.isoformat().replace("+00:00", "Z")
+    return None
+
+
 class PackageIncludeFilter:
     """A special class to help filter Package's based on a remote's include/exclude"""
 

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python/app/viewsets.py

@@ -1,6 +1,7 @@
 from bandersnatch.configuration import BandersnatchConfig
 from django.db import transaction
 from drf_spectacular.utils import extend_schema
+from pathlib import Path
 from rest_framework import status
 from rest_framework.decorators import action
 from rest_framework.response import Response
@@ -12,7 +13,7 @@ from pulpcore.plugin.serializers import (
     AsyncOperationResponseSerializer,
     RepositorySyncURLSerializer,
 )
-from pulpcore.plugin.tasking import dispatch
+from pulpcore.plugin.tasking import check_content, dispatch
 
 from pulp_python.app import models as python_models
 from pulp_python.app import serializers as python_serializers
@@ -205,9 +206,36 @@ class PythonRepositoryVersionViewSet(core_viewsets.RepositoryVersionViewSet):
                     "has_repository_model_or_domain_or_obj_perms:python.view_pythonrepository",
                 ],
             },
+            {
+                "action": ["scan"],
+                "principal": "authenticated",
+                "effect": "allow",
+                "condition": [
+                    "has_repository_model_or_domain_or_obj_perms:python.view_pythonrepository",
+                ],
+            },
         ],
     }
 
+    @extend_schema(
+        summary="Generate vulnerability report", responses={202: AsyncOperationResponseSerializer}
+    )
+    @action(detail=True, methods=["post"], serializer_class=None)
+    def scan(self, request, repository_pk, **kwargs):
+        """
+        Scan a repository version for vulnerabilities.
+        """
+        repository_version = self.get_object()
+        func = (
+            f"{tasks.get_repo_version_content.__module__}.{tasks.get_repo_version_content.__name__}"
+        )
+        task = dispatch(
+            check_content,
+            shared_resources=[repository_version.repository],
+            args=[func, [repository_version.pk]],
+        )
+        return core_viewsets.OperationPostponedResponse(task, request)
+
 
 class PythonDistributionViewSet(core_viewsets.DistributionViewSet, core_viewsets.RolesMixin):
     """
@@ -496,7 +524,7 @@ class PythonRemoteViewSet(core_viewsets.RemoteViewSet, core_viewsets.RolesMixin)
         bander_config_file = serializer.validated_data.get("config")
         name = serializer.validated_data.get("name")
         policy = serializer.validated_data.get("policy")
-        bander_config = BandersnatchConfig(bander_config_file.file.name).config
+        bander_config = BandersnatchConfig(Path(bander_config_file.file.name))
         data = {
             "name": name,
             "policy": policy,

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python/pytest_plugin.py

@@ -73,7 +73,7 @@ def python_distribution_factory(python_bindings, gen_object_with_cleanup):
                     ver_href = f"{repo_href}versions/{version}/"
                 else:
                     ver_href = get_href(version)
-                body = {"repository_version": ver_href}
+                body["repository_version"] = ver_href
             else:
                 body["repository"] = repo_href
         kwargs = {}

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python/tests/functional/api/test_full_mirror.py

@@ -84,7 +84,7 @@ def test_pull_through_filter(python_remote_factory, python_distribution_factory)
 
     r = requests.get(f"{distro.base_url}simple/pulpcore/")
     assert r.status_code == 404
-    assert r.text == "404 Not Found"
+    assert r.text == "pulpcore does not exist."
 
     r = requests.get(f"{distro.base_url}simple/shelf-reader/")
     assert r.status_code == 200
@@ -104,11 +104,11 @@ def test_pull_through_filter(python_remote_factory, python_distribution_factory)
 
     r = requests.get(f"{distro.base_url}simple/django/")
     assert r.status_code == 404
-    assert r.text == "404 Not Found"
+    assert r.text == "django does not exist."
 
     r = requests.get(f"{distro.base_url}simple/pulpcore/")
-    assert r.status_code == 502
-    assert r.text == f"Failed to fetch pulpcore from {remote.url}."
+    assert r.status_code == 404
+    assert r.text == "pulpcore does not exist."
 
     r = requests.get(f"{distro.base_url}simple/shelf-reader/")
     assert r.status_code == 200
@@ -156,3 +156,29 @@ def test_pull_through_with_repo(
     assert r.status_code == 200
     tasks = pulpcore_bindings.TasksApi.list(reserved_resources=repo.prn)
     assert tasks.count == 3
+
+
+@pytest.mark.parallel
+def test_pull_through_local_only(
+    python_remote_factory, python_distribution_factory, python_repo_with_sync
+):
+    """Tests that pull-through checks the repository if the package is not present on the remote."""
+    remote = python_remote_factory(url=PYPI_URL, includes=["pulpcore"])
+    repo = python_repo_with_sync(remote=remote)
+    remote2 = python_remote_factory(includes=[])  # Fixtures does not have pulpcore
+    distro = python_distribution_factory(repository=repo.pulp_href, remote=remote2.pulp_href)
+
+    url = f"{distro.base_url}simple/pulpcore/"
+    r = requests.get(url)
+    assert r.status_code == 200
+    assert "?redirect=" not in r.text
+
+    url = f"{distro.base_url}simple/shelf-reader/"
+    r = requests.get(url)
+    assert r.status_code == 200
+    assert "?redirect=" in r.text
+
+    url = f"{distro.base_url}simple/pulp_python/"
+    r = requests.get(url)
+    assert r.status_code == 404
+    assert r.text == "pulp-python does not exist."

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python/tests/functional/api/test_pypi_apis.py

@@ -267,6 +267,11 @@ def test_pypi_json(python_remote_factory, python_repo_with_sync, python_distribu
     distro = python_distribution_factory(repository=repo)
     response = requests.get(urljoin(distro.base_url, "pypi/shelf-reader/json"))
     assert_pypi_json(response.json())
+    # Test serving a repository version
+    distro = python_distribution_factory(repository=repo, version="1")
+    assert distro.repository is None
+    response = requests.get(urljoin(distro.base_url, "pypi/shelf-reader/json"))
+    assert_pypi_json(response.json())
 
 
 @pytest.mark.parallel

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python/tests/functional/api/test_pypi_simple_json_api.py

@@ -11,7 +11,7 @@ from pulp_python.tests.functional.constants import (
     PYTHON_WHEEL_URL,
 )
 
-API_VERSION = "1.0"
+API_VERSION = "1.1"
 PYPI_SERIAL_CONSTANT = 1000000000
 
 PYPI_TEXT_HTML = "text/html"
@@ -69,6 +69,7 @@ def test_simple_json_detail_api(
     assert data["meta"] == {"api-version": API_VERSION, "_last-serial": PYPI_SERIAL_CONSTANT}
     assert data["name"] == "shelf-reader"
     assert data["files"]
+    assert data["versions"] == ["0.1"]
 
     # Check data of a wheel
     file_whl = next(
@@ -83,7 +84,8 @@ def test_simple_json_detail_api(
     assert file_whl["data-dist-info-metadata"] == {
         "sha256": "ed333f0db05d77e933a157b7225b403ada9a2f93318d77b41b662eba78bac350"
     }
-
+    assert file_whl["size"] == 22455
+    assert file_whl["upload-time"] is not None
     # Check data of a tarball
     file_tar = next((i for i in data["files"] if i["filename"] == "shelf-reader-0.1.tar.gz"), None)
     assert file_tar is not None, "tar file not found"
@@ -93,6 +95,8 @@ def test_simple_json_detail_api(
     }
     assert file_tar["requires-python"] is None
     assert file_tar["data-dist-info-metadata"] is False
+    assert file_tar["size"] == 19097
+    assert file_tar["upload-time"] is not None
 
 
 @pytest.mark.parallel

pulp_python-3.21.0/pulp_python/tests/functional/api/test_vulnerability_report.py

@@ -0,0 +1,48 @@
+import pytest
+
+from pulp_python.tests.functional.constants import (
+    PYPI_URL,
+    VULNERABILITY_REPORT_TEST_PACKAGE_NAME,
+    VULNERABILITY_REPORT_TEST_PACKAGES,
+)
+
+
+@pytest.mark.parallel
+def test_vulnerability_report(
+    pulpcore_bindings, python_bindings, python_repo, python_remote_factory, monitor_task
+):
+
+    # Sync the test repository.
+    remote = python_remote_factory(url=PYPI_URL, includes=VULNERABILITY_REPORT_TEST_PACKAGES)
+    sync_data = dict(remote=remote.pulp_href)
+    response = python_bindings.RepositoriesPythonApi.sync(python_repo.pulp_href, sync_data)
+    monitor_task(response.task)
+
+    # get repo latest version
+    repo = python_bindings.RepositoriesPythonApi.read(python_repo.pulp_href)
+    latest_version_href = repo.latest_version_href
+
+    # scan
+    response = python_bindings.RepositoriesPythonVersionsApi.scan(
+        python_python_repository_version_href=latest_version_href
+    )
+    monitor_task(response.task)
+
+    # checks
+    vulns_list = pulpcore_bindings.VulnReportApi.list()
+    assert len(vulns_list.results) > 0
+    for results in vulns_list.results:
+        assert len(results.vulns) > 0
+        for vuln in results.vulns:
+            assert VULNERABILITY_REPORT_TEST_PACKAGE_NAME.lower() in (
+                affected["package"]["name"] for affected in vuln["affected"]
+            )
+
+    repo_version = python_bindings.RepositoriesPythonVersionsApi.read(latest_version_href)
+    assert repo_version.vuln_report is not None
+
+    python_packages = python_bindings.ContentPackagesApi.list(
+        name=VULNERABILITY_REPORT_TEST_PACKAGE_NAME, repository_version=latest_version_href
+    )
+    for content in python_packages.results:
+        assert content.vuln_report is not None

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python/tests/functional/constants.py

@@ -345,3 +345,8 @@ SHELF_PYTHON_JSON = {
     "releases": {"0.1": SHELF_0DOT1_RELEASE},
     "urls": SHELF_0DOT1_RELEASE,
 }
+
+VULNERABILITY_REPORT_TEST_PACKAGE_NAME = "Django"
+VULNERABILITY_REPORT_TEST_PACKAGES = [
+    "django==5.2.1",
+]

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulp-python
-Version: 3.20.0
+Version: 3.21.0
 Summary: pulp-python plugin for the Pulp Project
 Author-email: Pulp Team <pulp-list@redhat.com>
 Project-URL: Homepage, https://pulpproject.org
@@ -20,9 +20,9 @@ Classifier: Programming Language :: Python :: 3.13
 Requires-Python: >=3.11
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: pulpcore<3.100,>=3.81.0
+Requires-Dist: pulpcore<3.100,>=3.85.3
 Requires-Dist: pkginfo<1.13.0,>=1.12.0
-Requires-Dist: bandersnatch<6.6,>=6.3.0
+Requires-Dist: bandersnatch<6.7,>=6.6.0
 Requires-Dist: pypi-simple<2.0,>=1.5.0
 Dynamic: license-file
 

{pulp_python-3.20.0 → pulp_python-3.21.0}/pulp_python.egg-info/SOURCES.txt

@@ -46,6 +46,7 @@ pulp_python/app/migrations/0013_add_rbac_permissions.py
 pulp_python/app/migrations/0014_pythonpackagecontent_dynamic_and_more.py
 pulp_python/app/migrations/0015_alter_pythonpackagecontent_options.py
 pulp_python/app/migrations/0016_pythonpackagecontent_metadata_sha256.py
+pulp_python/app/migrations/0017_pythonpackagecontent_size.py
 pulp_python/app/migrations/__init__.py
 pulp_python/app/pypi/__init__.py
 pulp_python/app/pypi/serializers.py
@@ -55,6 +56,7 @@ pulp_python/app/tasks/publish.py
 pulp_python/app/tasks/repair.py
 pulp_python/app/tasks/sync.py
 pulp_python/app/tasks/upload.py
+pulp_python/app/tasks/vulnerability_report.py
 pulp_python/app/webserver_snippets/__init__.py
 pulp_python/app/webserver_snippets/apache.conf
 pulp_python/app/webserver_snippets/nginx.conf
@@ -78,5 +80,6 @@ pulp_python/tests/functional/api/test_rbac.py
 pulp_python/tests/functional/api/test_repair.py
 pulp_python/tests/functional/api/test_sync.py
 pulp_python/tests/functional/api/test_upload.py
+pulp_python/tests/functional/api/test_vulnerability_report.py
 pulp_python/tests/unit/__init__.py
 pulp_python/tests/unit/test_models.py

pulp_python-3.21.0/pulp_python.egg-info/requires.txt

@@ -0,0 +1,4 @@
+pulpcore<3.100,>=3.85.3
+pkginfo<1.13.0,>=1.12.0
+bandersnatch<6.7,>=6.6.0
+pypi-simple<2.0,>=1.5.0

{pulp_python-3.20.0 → pulp_python-3.21.0}/pyproject.toml

@@ -7,7 +7,7 @@ build-backend = 'setuptools.build_meta'
 
 [project]
 name = "pulp-python"
-version = "3.20.0"
+version = "3.21.0"
 description = "pulp-python plugin for the Pulp Project"
 readme = "README.md"
 authors = [
@@ -26,9 +26,9 @@ classifiers=[
 ]
 requires-python = ">=3.11"
 dependencies = [
-  "pulpcore>=3.81.0,<3.100",
+  "pulpcore>=3.85.3,<3.100",
   "pkginfo>=1.12.0,<1.13.0",
-  "bandersnatch>=6.3.0,<6.6", # 6.6 has breaking changes
+  "bandersnatch>=6.6.0,<6.7",
   "pypi-simple>=1.5.0,<2.0",
 ]
 
@@ -76,7 +76,7 @@ ignore = [
 [tool.bumpversion]
 # This section is managed by the plugin template. Do not edit manually.
 
-current_version = "3.20.0"
+current_version = "3.21.0"
 commit = false
 tag = false
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<alpha>0a)?(?P<patch>\\d+)(\\.(?P<release>[a-z]+))?"

pulp_python-3.20.0/pulp_python.egg-info/requires.txt

@@ -1,4 +0,0 @@
-pulpcore<3.100,>=3.81.0
-pkginfo<1.13.0,>=1.12.0
-bandersnatch<6.6,>=6.3.0
-pypi-simple<2.0,>=1.5.0