pulp-python 3.20.1__tar.gz → 3.22.0__tar.gz

{pulp_python-3.20.1 → pulp_python-3.22.0}/CHANGES.md

@@ -8,6 +8,38 @@
 
 [//]: # (towncrier release notes start)
 
+## 3.22.0 (2025-12-09) {: #3.22.0 }
+
+#### Features {: #3.22.0-feature }
+
+- Added attestations field to package upload that will create a PEP 740 Provenance object for that content.
+  [#984](https://github.com/pulp/pulp_python/issues/984)
+- Added the ability to upload PEP 740 Provenance files to repositories.
+
+#### Bugfixes {: #3.22.0-bugfix }
+
+- Added some sanity validation checks to twine upload endpoint.
+
+---
+
+## 3.21.0 (2025-11-18) {: #3.21.0 }
+
+#### Features {: #3.21.0-feature }
+
+- Added ability to serve a specific repository version of a PyPI index.
+  [#982](https://github.com/pulp/pulp_python/issues/982)
+- Implemented PEP 700 support, adding `versions`, `size` and `upload-time` to the Simple JSON API.
+  [#996](https://github.com/pulp/pulp_python/issues/996)
+- Added the new /scan endpoint to the RepositoryVersion viewset to generate vulnerability reports.
+  [#1012](https://github.com/pulp/pulp_python/issues/1012)
+
+#### Bugfixes {: #3.21.0-bugfix }
+
+- Fixed pull-through caching not checking the repository if package was not present on remote.
+  [#1004](https://github.com/pulp/pulp_python/issues/1004)
+
+---
+
 ## 3.20.1 (2025-11-18) {: #3.20.1 }
 
 #### Bugfixes {: #3.20.1-bugfix }
@@ -205,6 +237,12 @@ No significant changes.
 
 ---
 
+## 3.12.8 (2025-11-18) {: #3.12.8 }
+
+No significant changes.
+
+---
+
 ## 3.12.7 (2025-07-23) {: #3.12.7 }
 
 No significant changes.
@@ -291,6 +329,12 @@ No significant changes.
 
 ---
 
+## 3.11.7 (2025-11-18) {: #3.11.7 }
+
+No significant changes.
+
+---
+
 ## 3.11.6 (2025-07-23) {: #3.11.6 }
 
 No significant changes.
@@ -355,6 +399,12 @@ No significant changes.
 
 ---
 
+## 3.10.2 (2025-11-18) {: #3.10.2 }
+
+No significant changes
+
+---
+
 ## 3.10.1 (2025-07-23) {: #3.10.1 }
 
 ### Bugfixes

{pulp_python-3.20.1 → pulp_python-3.22.0}/MANIFEST.in

@@ -9,4 +9,5 @@ include functest_requirements.txt
 include test_requirements.txt
 include unittest_requirements.txt
 include pulp_python/app/webserver_snippets/*
+include pulp_python/tests/functional/assets/*
 exclude releasing.md

{pulp_python-3.20.1 → pulp_python-3.22.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulp-python
-Version: 3.20.1
+Version: 3.22.0
 Summary: pulp-python plugin for the Pulp Project
 Author-email: Pulp Team <pulp-list@redhat.com>
 Project-URL: Homepage, https://pulpproject.org
@@ -20,10 +20,11 @@ Classifier: Programming Language :: Python :: 3.13
 Requires-Python: >=3.11
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: pulpcore<3.100,>=3.85.0
+Requires-Dist: pulpcore<3.100,>=3.85.3
 Requires-Dist: pkginfo<1.13.0,>=1.12.0
-Requires-Dist: bandersnatch<6.6,>=6.3.0
-Requires-Dist: pypi-simple<2.0,>=1.5.0
+Requires-Dist: bandersnatch<6.7,>=6.6.0
+Requires-Dist: pypi-simple<2.0,>=1.8.0
+Requires-Dist: pypi-attestations==0.0.28
 Dynamic: license-file
 
 # pulp_python

{pulp_python-3.20.1 → pulp_python-3.22.0}/pulp_python/app/__init__.py

@@ -10,7 +10,7 @@ class PulpPythonPluginAppConfig(PulpPluginAppConfig):
 
     name = "pulp_python.app"
     label = "python"
-    version = "3.20.1"
+    version = "3.22.0"
     python_package_name = "pulp-python"
     domain_compatible = True
 

pulp_python-3.22.0/pulp_python/app/migrations/0017_pythonpackagecontent_size.py

@@ -0,0 +1,50 @@
+# Generated by Django 4.2.26 on 2025-11-11 21:43
+
+from django.db import migrations, models, transaction
+
+
+def add_size_to_current_models(apps, schema_editor):
+    """Adds the size to current PythonPackageContent models."""
+    PythonPackageContent = apps.get_model("python", "PythonPackageContent")
+    RemoteArtifact = apps.get_model("core", "RemoteArtifact")
+    package_bulk = []
+    for python_package in PythonPackageContent.objects.only("pk", "size").iterator():
+        content_artifact = python_package.contentartifact_set.first()
+        if content_artifact.artifact:
+            artifact = content_artifact.artifact
+        else:
+            artifact = RemoteArtifact.objects.filter(content_artifact=content_artifact).first()
+        python_package.size = artifact.size or 0
+        package_bulk.append(python_package)
+        if len(package_bulk) == 100000:
+            with transaction.atomic():
+                PythonPackageContent.objects.bulk_update(
+                    package_bulk,
+                    [
+                        "size",
+                    ],
+                )
+                package_bulk = []
+    with transaction.atomic():
+        PythonPackageContent.objects.bulk_update(
+            package_bulk,
+            [
+                "size",
+            ],
+        )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("python", "0016_pythonpackagecontent_metadata_sha256"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="pythonpackagecontent",
+            name="size",
+            field=models.BigIntegerField(default=0),
+        ),
+        migrations.RunPython(add_size_to_current_models, migrations.RunPython.noop, elidable=True),
+    ]

pulp_python-3.22.0/pulp_python/app/migrations/0018_packageprovenance.py

@@ -0,0 +1,59 @@
+# Generated by Django 4.2.26 on 2025-12-01 19:49
+
+from django.db import migrations, models
+import django.db.models.deletion
+import pulpcore.app.util
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("python", "0017_pythonpackagecontent_size"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="PackageProvenance",
+            fields=[
+                (
+                    "content_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="core.content",
+                    ),
+                ),
+                ("provenance", models.JSONField()),
+                ("sha256", models.CharField(max_length=64)),
+                (
+                    "_pulp_domain",
+                    models.ForeignKey(
+                        default=pulpcore.app.util.get_domain_pk,
+                        on_delete=django.db.models.deletion.PROTECT,
+                        to="core.domain",
+                    ),
+                ),
+                (
+                    "package",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="provenances",
+                        to="python.pythonpackagecontent",
+                    ),
+                ),
+            ],
+            options={
+                "default_related_name": "%(app_label)s_%(model_name)s",
+                "unique_together": {("sha256", "_pulp_domain")},
+            },
+            bases=("core.content",),
+        ),
+        migrations.AddField(
+            model_name="pythonremote",
+            name="provenance",
+            field=models.BooleanField(default=False),
+        ),
+    ]

{pulp_python-3.20.1 → pulp_python-3.22.0}/pulp_python/app/models.py

@@ -1,3 +1,5 @@
+import hashlib
+import json
 from logging import getLogger
 
 from aiohttp.web import json_response
@@ -5,6 +7,10 @@ from django.contrib.postgres.fields import ArrayField
 from django.core.exceptions import ObjectDoesNotExist
 from django.db import models
 from django.conf import settings
+from django_lifecycle import (
+    BEFORE_SAVE,
+    hook,
+)
 from pulpcore.plugin.models import (
     AutoAddObjPermsMixin,
     Content,
@@ -16,6 +22,7 @@ from pulpcore.plugin.models import (
 from pulpcore.plugin.responses import ArtifactResponse
 
 from pathlib import PurePath
+from .provenance import Provenance
 from .utils import (
     artifact_to_python_content_data,
     canonicalize_name,
@@ -193,6 +200,7 @@ class PythonPackageContent(Content):
     python_version = models.TextField()
     sha256 = models.CharField(db_index=True, max_length=64)
     metadata_sha256 = models.CharField(max_length=64, null=True)
+    size = models.BigIntegerField(default=0)
     # yanked and yanked_reason are not implemented because they are mutable
 
     # From pulpcore
@@ -234,6 +242,43 @@ class PythonPackageContent(Content):
         ]
 
 
+class PackageProvenance(Content):
+    """
+    PEP 740 provenance objects.
+    """
+
+    TYPE = "provenance"
+    repo_key_fields = ("package_id",)
+
+    package = models.ForeignKey(
+        PythonPackageContent, on_delete=models.CASCADE, related_name="provenances"
+    )
+    provenance = models.JSONField(null=False)
+    sha256 = models.CharField(max_length=64, null=False)
+
+    _pulp_domain = models.ForeignKey("core.Domain", default=get_domain_pk, on_delete=models.PROTECT)
+
+    @staticmethod
+    def calculate_sha256(provenance):
+        """Calculates the sha256 from the provenance."""
+        provenance_json = json.dumps(provenance, sort_keys=True).encode("utf-8")
+        hasher = hashlib.sha256(provenance_json)
+        return hasher.hexdigest()
+
+    @hook(BEFORE_SAVE)
+    def set_sha256_hook(self):
+        """Ensure that sha256 is set before saving."""
+        self.sha256 = self.calculate_sha256(self.provenance)
+
+    @property
+    def as_model(self):
+        return Provenance.model_validate(self.provenance)
+
+    class Meta:
+        default_related_name = "%(app_label)s_%(model_name)s"
+        unique_together = ("sha256", "_pulp_domain")
+
+
 class PythonPublication(Publication, AutoAddObjPermsMixin):
     """
     A Publication for PythonContent.
@@ -269,6 +314,7 @@ class PythonRemote(Remote, AutoAddObjPermsMixin):
     exclude_platforms = ArrayField(
         models.CharField(max_length=10, blank=True), choices=PLATFORMS, default=list
     )
+    provenance = models.BooleanField(default=False)
 
     def get_remote_artifact_url(self, relative_path=None, request=None):
         """Get url for remote_artifact"""
@@ -294,7 +340,7 @@ class PythonRepository(Repository, AutoAddObjPermsMixin):
     """
 
     TYPE = "python"
-    CONTENT_TYPES = [PythonPackageContent]
+    CONTENT_TYPES = [PythonPackageContent, PackageProvenance]
     REMOTE_TYPES = [PythonRemote]
     PULL_THROUGH_SUPPORTED = True
 

pulp_python-3.22.0/pulp_python/app/provenance.py

@@ -0,0 +1,71 @@
+from typing import Annotated, Literal, Union, get_args
+
+from pydantic import BaseModel, ConfigDict, Field
+from pydantic.alias_generators import to_snake
+from pypi_attestations import (
+    Attestation,
+    Distribution,
+    Publisher,
+)
+
+
+class _PermissivePolicy:
+    """A permissive verification policy that always succeeds."""
+
+    def verify(self, cert):
+        """Succeed regardless of the publisher's identity."""
+        pass
+
+
+class AnyPublisher(BaseModel):
+    """A fallback publisher for any kind not matching other publisher types."""
+
+    model_config = ConfigDict(alias_generator=to_snake, extra="allow")
+
+    kind: str
+
+    def _as_policy(self):
+        """Return a permissive policy that always succeed."""
+        return _PermissivePolicy()
+
+
+# Get the underlying Union type of the original Publisher
+# Publisher is Annotated[Union[...], Field(discriminator="kind")]
+_OriginalPublisherTypes = get_args(Publisher.__origin__)
+# Add AnyPublisher to the list of original publisher types
+_ExtendedPublisherTypes = (*_OriginalPublisherTypes, AnyPublisher)
+_ExtendedPublisherUnion = Union[_ExtendedPublisherTypes]
+# Create a new type that fallbacks to AnyPublisher
+ExtendedPublisher = Annotated[_ExtendedPublisherUnion, Field(union_mode="left_to_right")]
+
+
+class AttestationBundle(BaseModel):
+    """
+    AttestationBundle object as defined in PEP740.
+
+    PyPI only accepts attestations from TrustedPublishers (GitHub, GitLab, Google), but we will
+    accept from any user.
+    """
+
+    publisher: ExtendedPublisher
+    attestations: list[Attestation]
+
+
+class Provenance(BaseModel):
+    """Provenance object as defined in PEP740."""
+
+    version: Literal[1] = 1
+    attestation_bundles: list[AttestationBundle]
+
+
+def verify_provenance(filename, sha256, provenance, offline=False):
+    """Verify the provenance object is valid for the package."""
+    dist = Distribution(name=filename, digest=sha256)
+    for bundle in provenance.attestation_bundles:
+        publisher = bundle.publisher
+        policy = publisher._as_policy()
+        for attestation in bundle.attestations:
+            sig_bundle = attestation.to_bundle()
+            checkpoint = sig_bundle.log_entry._inner.inclusion_proof.checkpoint
+            staging = "sigstage.dev" in checkpoint.envelope
+            attestation.verify(policy, dist, staging=staging, offline=offline)

{pulp_python-3.20.1 → pulp_python-3.22.0}/pulp_python/app/pypi/serializers.py

@@ -2,7 +2,9 @@ import logging
 from gettext import gettext as _
 
 from rest_framework import serializers
-from pulp_python.app.utils import DIST_EXTENSIONS
+from pydantic import TypeAdapter, ValidationError
+from pulp_python.app.provenance import Attestation
+from pulp_python.app.utils import DIST_EXTENSIONS, SUPPORTED_METADATA_VERSIONS
 from pulpcore.plugin.models import Artifact
 from pulpcore.plugin.util import get_domain
 from django.db.utils import IntegrityError
@@ -54,6 +56,27 @@ class PackageUploadSerializer(serializers.Serializer):
         min_length=64,
         max_length=64,
     )
+    protocol_version = serializers.ChoiceField(
+        help_text=_("Protocol version to use for the upload. Only version 1 is supported."),
+        required=False,
+        choices=(1,),
+        default=1,
+    )
+    filetype = serializers.ChoiceField(
+        help_text=_("Type of artifact to upload."),
+        required=False,
+        choices=("bdist_wheel", "sdist"),
+    )
+    metadata_version = serializers.ChoiceField(
+        help_text=_("Metadata version of the uploaded package."),
+        required=False,
+        choices=SUPPORTED_METADATA_VERSIONS,
+    )
+    attestations = serializers.JSONField(
+        required=False,
+        help_text=_("A JSON list containing attestations for the package."),
+        write_only=True,
+    )
 
     def validate(self, data):
         """Validates the request."""
@@ -63,14 +86,33 @@ class PackageUploadSerializer(serializers.Serializer):
         file = data.get("content")
         for ext, packagetype in DIST_EXTENSIONS.items():
             if file.name.endswith(ext):
+                if (filetype := data.get("filetype")) and filetype != packagetype:
+                    raise serializers.ValidationError(
+                        {
+                            "filetype": _(
+                                "filetype {} does not match found filetype {} for file {}"
+                            ).format(filetype, packagetype, file.name)
+                        }
+                    )
                 break
         else:
             raise serializers.ValidationError(
-                _(
-                    "Extension on {} is not a valid python extension "
-                    "(.whl, .exe, .egg, .tar.gz, .tar.bz2, .zip)"
-                ).format(file.name)
+                {
+                    "content": _(
+                        "Extension on {} is not a valid python extension "
+                        "(.whl, .exe, .egg, .tar.gz, .tar.bz2, .zip)"
+                    ).format(file.name)
+                }
             )
+
+        if attestations := data.get("attestations"):
+            try:
+                attestations = TypeAdapter(list[Attestation]).validate_python(attestations)
+            except ValidationError as e:
+                raise serializers.ValidationError(
+                    {"attestations": _("The uploaded attestations are not valid: {}".format(e))}
+                )
+
         sha256 = data.get("sha256_digest")
         digests = {"sha256": sha256} if sha256 else None
         artifact = Artifact.init_and_validate(file, expected_digests=digests)