pulp-python 3.24.0__tar.gz → 3.24.2__tar.gz

{pulp_python-3.24.0 → pulp_python-3.24.2}/CHANGES.md

@@ -8,6 +8,28 @@
 
 [//]: # (towncrier release notes start)
 
+## 3.24.2 (2026-02-06) {: #3.24.2 }
+
+#### Bugfixes {: #3.24.2-bugfix }
+
+- Fixed pull-through caching failing for packages with bad names.
+  [#1040](https://github.com/pulp/pulp_python/issues/1040)
+- Fixed pull-through PEP 658 metadata not being served correctly for certain tools.
+  [#1083](https://github.com/pulp/pulp_python/issues/1083)
+- Fixed pull-through PEP 658 metadata not being saved correctly with the package.
+  [#1087](https://github.com/pulp/pulp_python/issues/1087)
+
+---
+
+## 3.24.1 (2026-01-22) {: #3.24.1 }
+
+#### Bugfixes {: #3.24.1-bugfix }
+
+- Changed migration 19 to reset package's metadata_sha256 to null. This field will be fixed in a later release.
+  [#1071](https://github.com/pulp/pulp_python/issues/1071)
+
+---
+
 ## 3.24.0 (2026-01-20) {: #3.24.0 }
 
 #### Features {: #3.24.0-feature }

{pulp_python-3.24.0 → pulp_python-3.24.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulp-python
-Version: 3.24.0
+Version: 3.24.2
 Summary: pulp-python plugin for the Pulp Project
 Author-email: Pulp Team <pulp-list@redhat.com>
 Project-URL: Homepage, https://pulpproject.org

{pulp_python-3.24.0 → pulp_python-3.24.2}/pulp_python/app/__init__.py

@@ -10,7 +10,7 @@ class PulpPythonPluginAppConfig(PulpPluginAppConfig):
 
     name = "pulp_python.app"
     label = "python"
-    version = "3.24.0"
+    version = "3.24.2"
     python_package_name = "pulp-python"
     domain_compatible = True
 

pulp_python-3.24.2/pulp_python/app/migrations/0019_create_missing_metadata_artifacts.py

@@ -0,0 +1,24 @@
+# Generated manually on 2025-12-15 14:00 for creating missing metadata artifacts
+from django.db import migrations
+
+
+def set_metadata_sha256_null(apps, schema_editor):
+    # We can't easily create the metadata artifacts in this migration, so just set the metadata_sha256
+    # to null and we will introduce a new command later to create them.
+    PythonPackageContent = apps.get_model("python", "PythonPackageContent")
+    PythonPackageContent.objects.filter(metadata_sha256__isnull=False).update(metadata_sha256=None)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("python", "0018_packageprovenance"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            set_metadata_sha256_null,
+            reverse_code=migrations.RunPython.noop,
+            elidable=True,
+        ),
+    ]

{pulp_python-3.24.0 → pulp_python-3.24.2}/pulp_python/app/models.py

@@ -25,6 +25,7 @@ from pathlib import PurePath
 from .provenance import Provenance
 from .utils import (
     artifact_to_python_content_data,
+    artifact_to_metadata_artifact,
     canonicalize_name,
     python_content_to_json,
     PYPI_LAST_SERIAL,
@@ -215,7 +216,10 @@ class PythonPackageContent(Content):
         """Used when downloading package from pull-through cache."""
         path = PurePath(relative_path)
         data = artifact_to_python_content_data(path.name, artifact, domain=get_domain())
-        return PythonPackageContent(**data)
+        artifacts = {path.name: artifact}
+        if metadata_artifact := artifact_to_metadata_artifact(path.name, artifact):
+            artifacts[f"{path.name}.metadata"] = metadata_artifact
+        return PythonPackageContent(**data), artifacts
 
     def __str__(self):
         """
@@ -320,11 +324,25 @@ class PythonRemote(Remote, AutoAddObjPermsMixin):
         """Get url for remote_artifact"""
         if request and (url := request.query.get("redirect")):
             # This is a special case for pull-through caching
+            # To handle PEP 658, it states that if the package has metadata available then it
+            # should be found at the download URL + ".metadata". Thus if the request url ends with
+            # ".metadata" then we need to add ".metadata" to the redirect url if not present.
+            if relative_path:
+                if relative_path.endswith(".metadata") and not url.endswith(".metadata"):
+                    url += ".metadata"
+                # Handle special case for bug in pip (TODO file issue in pip) where it appends
+                # ".metadata" to the redirect url instead of the request url
+                if url.endswith(".metadata") and not relative_path.endswith(".metadata"):
+                    setattr(self, "_real_relative_path", url.rsplit("/", 1)[1])
             return url
         return super().get_remote_artifact_url(relative_path, request=request)
 
     def get_remote_artifact_content_type(self, relative_path=None):
-        """Return PythonPackageContent."""
+        """Return PythonPackageContent, except for metadata artifacts."""
+        if hasattr(self, "_real_relative_path"):
+            relative_path = getattr(self, "_real_relative_path")
+        if relative_path and relative_path.endswith(".whl.metadata"):
+            return None
         return PythonPackageContent
 
     class Meta:

{pulp_python-3.24.0 → pulp_python-3.24.2}/pulp_python/app/utils.py

@@ -610,7 +610,7 @@ class PackageIncludeFilter:
 
         try:
             version = parse(version)
-        except InvalidVersion:
+        except (InvalidVersion, TypeError):
             return False
 
         include_range = self._filter_includes.get("range", {})

{pulp_python-3.24.0 → pulp_python-3.24.2}/pulp_python/tests/functional/api/test_full_mirror.py

@@ -11,8 +11,9 @@ from pulp_python.tests.functional.constants import (
 
 from pypi_simple import ProjectPage
 from packaging.version import parse
-from urllib.parse import urljoin, urlsplit
+from urllib.parse import urljoin, urlsplit, urlunsplit
 from random import sample
+from hashlib import sha256
 
 
 def test_pull_through_install(
@@ -182,3 +183,105 @@ def test_pull_through_local_only(
     r = requests.get(url)
     assert r.status_code == 404
     assert r.text == "pulp-python does not exist."
+
+
+@pytest.mark.parallel
+def test_pull_through_filtering_bad_names(python_remote_factory, python_distribution_factory):
+    """Tests that pull-through handles packages with invalid names gracefully."""
+    # ipython version 0.13.X has improper named bdist_wininst, e.g ipython-0.13.py2-win-amd64.exe
+    # pypi-simple expects the platform to go before the pyversion (for .exe), so when parsed the
+    # version and package type will be None.
+    remote = python_remote_factory(url=PYPI_URL, includes=["ipython"])
+    distro = python_distribution_factory(remote=remote.pulp_href)
+
+    url = f"{distro.base_url}simple/ipython/"
+    response = requests.get(url)
+
+    assert response.status_code == 200
+
+    project_page = ProjectPage.from_response(response, "ipython")
+    # Should have no packages with None version (they get filtered out)
+    assert len(project_page.packages) > 0
+    assert all(package.version is not None for package in project_page.packages)
+
+
+@pytest.mark.parallel
+def test_pull_through_metadata(python_remote_factory, python_distribution_factory):
+    """
+    Tests that metadata is correctly served when using pull-through.
+
+    So when requesting the metadata url according to PEP 658 you should just need to add .metadata
+    to the end of the url path. Since pull-through includes a redirect query parameter we need to
+    test adding .metadata to the end of the url path vs adding it to the end of redirect query.
+    """
+    remote = python_remote_factory(includes=["pytz"])
+    distro = python_distribution_factory(remote=remote.pulp_href)
+
+    url = f"{distro.base_url}simple/pytz/"
+    project_page = ProjectPage.from_response(requests.get(url), "pytz")
+    filename1 = "pytz-2023.2-py2.py3-none-any.whl"
+    filename2 = "pytz-2023.3-py2.py3-none-any.whl"
+    package1 = next(p for p in project_page.packages if p.filename == filename1)
+    package2 = next(p for p in project_page.packages if p.filename == filename2)
+    assert package1.has_metadata
+    assert package2.has_metadata
+
+    # The correct way to get the metadata url: add to path (uv does this)
+    parts1 = urlsplit(package1.url)
+    url1 = urlunsplit((parts1[0], parts1[1], parts1[2] + ".metadata", parts1[3], parts1[4]))
+    r = requests.get(url1)
+    assert r.status_code == 200
+    assert sha256(r.content).hexdigest() == package1.metadata_digests["sha256"]
+
+    # The incorrect way to get the metadata url: add to end of string (pip does this)
+    url2 = package2.url + ".metadata"
+    r = requests.get(url2)
+    assert r.status_code == 200
+    assert sha256(r.content).hexdigest() == package2.metadata_digests["sha256"]
+
+
+@pytest.mark.parallel
+def test_pull_through_metadata_with_repo(
+    python_repo_factory,
+    python_remote_factory,
+    python_distribution_factory,
+    pulpcore_bindings,
+):
+    """Tests that metadata is correctly saved when using pull-through with a repository."""
+    remote = python_remote_factory(url=PYPI_URL, includes=["pip"])
+    repo = python_repo_factory()
+    distro = python_distribution_factory(repository=repo.pulp_href, remote=remote.pulp_href)
+
+    pip_url = f"{distro.base_url}simple/pip/"
+    project_page = ProjectPage.from_response(requests.get(pip_url), "pip")
+    filename = "pip-26.0.1-py3-none-any.whl"
+    package = next(p for p in project_page.packages if p.filename == filename)
+    assert package.has_metadata
+    assert "?redirect=" in package.url
+
+    # Retrieve the metadata and assert the content was not saved to the repository
+    parts = urlsplit(package.url)
+    url = urlunsplit((parts[0], parts[1], parts[2] + ".metadata", parts[3], parts[4]))
+    r = requests.get(url)
+    assert r.status_code == 200
+    assert sha256(r.content).hexdigest() == package.metadata_digests["sha256"]
+    project_page = ProjectPage.from_response(requests.get(pip_url), "pip")
+    package = next(p for p in project_page.packages if p.filename == filename)
+    assert package.has_metadata
+    assert "?redirect=" in package.url
+
+    # Now retrieve the package and assert the content was saved with metadata
+    r = requests.get(package.url)
+    assert r.status_code == 200
+    pa = pulpcore_bindings.ArtifactsApi.list(sha256=package.digests["sha256"])
+    assert pa.count == 1
+    ma = pulpcore_bindings.ArtifactsApi.list(sha256=package.metadata_digests["sha256"])
+    assert ma.count == 1
+
+    # Check the simple page is updated to point to the local repository
+    project_page = ProjectPage.from_response(requests.get(pip_url), "pip")
+    package = next(p for p in project_page.packages if p.filename == filename)
+    assert "?redirect=" not in package.url
+    r = requests.get(package.metadata_url)
+    assert r.status_code == 200
+    assert sha256(r.content).hexdigest() == package.metadata_digests["sha256"]

{pulp_python-3.24.0 → pulp_python-3.24.2}/pulp_python.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulp-python
-Version: 3.24.0
+Version: 3.24.2
 Summary: pulp-python plugin for the Pulp Project
 Author-email: Pulp Team <pulp-list@redhat.com>
 Project-URL: Homepage, https://pulpproject.org

{pulp_python-3.24.0 → pulp_python-3.24.2}/pyproject.toml

@@ -7,7 +7,7 @@ build-backend = 'setuptools.build_meta'
 
 [project]
 name = "pulp-python"
-version = "3.24.0"
+version = "3.24.2"
 description = "pulp-python plugin for the Pulp Project"
 readme = "README.md"
 authors = [
@@ -77,7 +77,7 @@ ignore = [
 [tool.bumpversion]
 # This section is managed by the plugin template. Do not edit manually.
 
-current_version = "3.24.0"
+current_version = "3.24.2"
 commit = false
 tag = false
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<alpha>0a)?(?P<patch>\\d+)(\\.(?P<release>[a-z]+))?"

pulp_python-3.24.0/pulp_python/app/migrations/0019_create_missing_metadata_artifacts.py

@@ -1,204 +0,0 @@
-# Generated manually on 2025-12-15 14:00 for creating missing metadata artifacts
-
-from django.db import migrations
-
-BATCH_SIZE = 1000
-
-
-def pulp_hashlib_new(name, *args, **kwargs):
-    """
-    Copied and updated (to comply with migrations) from pulpcore.
-    """
-    import hashlib as the_real_hashlib
-    from django.conf import settings
-
-    if name not in settings.ALLOWED_CONTENT_CHECKSUMS:
-        return None
-
-    return the_real_hashlib.new(name, *args, **kwargs)
-
-
-def init_and_validate(file, artifact_model, expected_digests):
-    """
-    Copied and updated (to comply with migrations) from pulpcore.
-    """
-    from django.conf import settings
-
-    digest_fields = []
-    for alg in ("sha512", "sha384", "sha256", "sha224", "sha1", "md5"):
-        if alg in settings.ALLOWED_CONTENT_CHECKSUMS:
-            digest_fields.append(alg)
-
-    if isinstance(file, str):
-        with open(file, "rb") as f:
-            hashers = {
-                n: hasher for n in digest_fields if (hasher := pulp_hashlib_new(n)) is not None
-            }
-            if not hashers:
-                return None
-
-            size = 0
-            while True:
-                chunk = f.read(1048576)  # 1 megabyte
-                if not chunk:
-                    break
-                for algorithm in hashers.values():
-                    algorithm.update(chunk)
-                size = size + len(chunk)
-    else:
-        size = file.size
-        hashers = file.hashers
-
-    mismatched_sha256 = None
-    for algorithm, expected_digest in expected_digests.items():
-        if algorithm not in hashers:
-            return None
-        actual_digest = hashers[algorithm].hexdigest()
-        if expected_digest != actual_digest:
-            # Store the actual value for later fixing if it differs from the package value
-            mismatched_sha256 = actual_digest
-
-    attributes = {"size": size, "file": file}
-    for algorithm in digest_fields:
-        attributes[algorithm] = hashers[algorithm].hexdigest()
-
-    return artifact_model(**attributes), mismatched_sha256
-
-
-def extract_wheel_metadata(filename):
-    """
-    Extract the metadata file content from a wheel file.
-    Return the raw metadata content as bytes or None if metadata cannot be extracted.
-    """
-    import zipfile
-
-    try:
-        with zipfile.ZipFile(filename, "r") as f:
-            for file_path in f.namelist():
-                if file_path.endswith(".dist-info/METADATA"):
-                    return f.read(file_path)
-    except (zipfile.BadZipFile, KeyError, OSError):
-        pass
-    return None
-
-
-def artifact_to_metadata_artifact(filename, artifact, md_digests, tmp_dir, artifact_model):
-    """
-    Create artifact for metadata from the provided wheel artifact.
-    Return (artifact, mismatched_sha256) on success, None on any failure.
-    """
-    import shutil
-    import tempfile
-
-    with tempfile.NamedTemporaryFile("wb", dir=tmp_dir, suffix=filename, delete=False) as temp_file:
-        temp_wheel_path = temp_file.name
-        artifact.file.seek(0)
-        shutil.copyfileobj(artifact.file, temp_file)
-        temp_file.flush()
-
-    metadata_content = extract_wheel_metadata(temp_wheel_path)
-    if not metadata_content:
-        return None
-
-    with tempfile.NamedTemporaryFile(
-        "wb", dir=tmp_dir, suffix=".metadata", delete=False
-    ) as temp_md:
-        temp_metadata_path = temp_md.name
-        temp_md.write(metadata_content)
-        temp_md.flush()
-
-    return init_and_validate(temp_metadata_path, artifact_model, md_digests)
-
-
-def create_missing_metadata_artifacts(apps, schema_editor):
-    """
-    Create metadata artifacts for PythonPackageContent instances that have metadata_sha256
-    but are missing the corresponding metadata artifact.
-    """
-    import tempfile
-    from django.conf import settings
-    from django.db import models
-
-    PythonPackageContent = apps.get_model("python", "PythonPackageContent")
-    ContentArtifact = apps.get_model("core", "ContentArtifact")
-    Artifact = apps.get_model("core", "Artifact")
-
-    packages = (
-        PythonPackageContent.objects.filter(
-            metadata_sha256__isnull=False,
-            filename__endswith=".whl",
-            contentartifact__artifact__isnull=False,
-            contentartifact__relative_path=models.F("filename"),
-        )
-        .exclude(metadata_sha256="")
-        .prefetch_related("_artifacts")
-        .only("filename", "metadata_sha256")
-    )
-    artifact_batch = []
-    contentartifact_batch = []
-    packages_batch = []
-
-    with tempfile.TemporaryDirectory(dir=settings.WORKING_DIRECTORY) as temp_dir:
-        for package in packages:
-            # Get the main artifact for package
-            main_artifact = package._artifacts.get()
-
-            filename = package.filename
-            metadata_digests = {"sha256": package.metadata_sha256}
-            result = artifact_to_metadata_artifact(
-                filename, main_artifact, metadata_digests, temp_dir, Artifact
-            )
-            if result is None:
-                # Unset metadata_sha256 when extraction or validation fails
-                package.metadata_sha256 = None
-                packages_batch.append(package)
-                continue
-            metadata_artifact, mismatched_sha256 = result
-            if mismatched_sha256:
-                # Fix the package if its metadata_sha256 differs from the actual value
-                package.metadata_sha256 = mismatched_sha256
-                packages_batch.append(package)
-
-            # Set the domain on the metadata artifact to match the package's domain
-            metadata_artifact.pulp_domain = package._pulp_domain
-
-            contentartifact = ContentArtifact(
-                artifact=metadata_artifact,
-                content=package,
-                relative_path=f"{filename}.metadata",
-            )
-            artifact_batch.append(metadata_artifact)
-            contentartifact_batch.append(contentartifact)
-
-            if len(artifact_batch) == BATCH_SIZE:
-                Artifact.objects.bulk_create(artifact_batch, batch_size=BATCH_SIZE)
-                ContentArtifact.objects.bulk_create(contentartifact_batch, batch_size=BATCH_SIZE)
-                artifact_batch.clear()
-                contentartifact_batch.clear()
-            if len(packages_batch) == BATCH_SIZE:
-                PythonPackageContent.objects.bulk_update(
-                    packages_batch, ["metadata_sha256"], batch_size=BATCH_SIZE
-                )
-                packages_batch.clear()
-
-        if artifact_batch:
-            Artifact.objects.bulk_create(artifact_batch, batch_size=BATCH_SIZE)
-            ContentArtifact.objects.bulk_create(contentartifact_batch, batch_size=BATCH_SIZE)
-        if packages_batch:
-            PythonPackageContent.objects.bulk_update(
-                packages_batch, ["metadata_sha256"], batch_size=BATCH_SIZE
-            )
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("python", "0018_packageprovenance"),
-    ]
-
-    operations = [
-        migrations.RunPython(
-            create_missing_metadata_artifacts,
-            reverse_code=migrations.RunPython.noop,
-        ),
-    ]