pulp-python 3.26.1__py3-none-any.whl → 3.28.0__py3-none-any.whl

pulp_python/app/__init__.py

@@ -10,7 +10,7 @@ class PulpPythonPluginAppConfig(PulpPluginAppConfig):
 
     name = "pulp_python.app"
     label = "python"
-    version = "3.26.1"
+    version = "3.28.0"
     python_package_name = "pulp-python"
     domain_compatible = True
 

pulp_python/app/global_access_conditions.py

@@ -1,6 +1,5 @@
 from django.conf import settings
 
-
 # Access Condition methods that can be used with PyPI access policies
 
 

pulp_python/app/migrations/0020_pythonpackagecontent_name_normalized.py

@@ -0,0 +1,37 @@
+import re
+
+from django.db import migrations, models, transaction
+
+
+def populate_name_normalized(apps, schema_editor):
+    """Populate name_normalized for existing PythonPackageContent rows."""
+    PythonPackageContent = apps.get_model("python", "PythonPackageContent")
+    package_bulk = []
+    normalize_re = re.compile(r"[-_.]+")
+
+    for package in PythonPackageContent.objects.only("pk", "name").iterator():
+        package.name_normalized = normalize_re.sub("-", package.name).lower()
+        package_bulk.append(package)
+        if len(package_bulk) == 100000:
+            with transaction.atomic():
+                PythonPackageContent.objects.bulk_update(package_bulk, ["name_normalized"])
+                package_bulk = []
+    if package_bulk:
+        with transaction.atomic():
+            PythonPackageContent.objects.bulk_update(package_bulk, ["name_normalized"])
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("python", "0019_create_missing_metadata_artifacts"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="pythonpackagecontent",
+            name="name_normalized",
+            field=models.TextField(db_index=True, default=""),
+        ),
+        migrations.RunPython(populate_name_normalized, migrations.RunPython.noop, elidable=True),
+    ]

pulp_python/app/migrations/0021_pythonrepository_upload_duplicate_filenames.py

@@ -0,0 +1,16 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("python", "0020_pythonpackagecontent_name_normalized"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="pythonrepository",
+            name="allow_package_substitution",
+            field=models.BooleanField(default=True),
+        ),
+    ]

pulp_python/app/models.py

@@ -11,6 +11,7 @@ from django_lifecycle import (
     BEFORE_SAVE,
     hook,
 )
+from rest_framework.serializers import ValidationError
 from pulpcore.plugin.models import (
     AutoAddObjPermsMixin,
     Content,
@@ -31,7 +32,11 @@ from .utils import (
     PYPI_LAST_SERIAL,
     PYPI_SERIAL_CONSTANT,
 )
-from pulpcore.plugin.repo_version_utils import remove_duplicates, validate_repo_version
+from pulpcore.plugin.repo_version_utils import (
+    collect_duplicates,
+    remove_duplicates,
+    validate_repo_version,
+)
 from pulpcore.plugin.util import get_domain_pk, get_domain
 
 log = getLogger(__name__)
@@ -115,7 +120,7 @@ class PythonDistribution(Distribution, AutoAddObjPermsMixin):
         if name:
             normalized = canonicalize_name(name)
             package_content = PythonPackageContent.objects.filter(
-                pk__in=self.publication.repository_version.content, name__normalize=normalized
+                pk__in=self.publication.repository_version.content, name_normalized=normalized
             )
             # TODO Change this value to the Repo's serial value when implemented
             headers = {PYPI_LAST_SERIAL: str(PYPI_SERIAL_CONSTANT)}
@@ -136,14 +141,6 @@ class PythonDistribution(Distribution, AutoAddObjPermsMixin):
         ]
 
 
-class NormalizeName(models.Transform):
-    """A transform field to normalize package names according to PEP426."""
-
-    function = "REGEXP_REPLACE"
-    template = "LOWER(%(function)s(%(expressions)s, '(\.|_|-)', '-', 'ig'))"  # noqa:W605
-    lookup_name = "normalize"
-
-
 class PythonPackageContent(Content):
     """
     A Content Type representing Python's Distribution Package.
@@ -195,6 +192,9 @@ class PythonPackageContent(Content):
     license_expression = models.TextField()
     license_file = models.JSONField(default=list)
 
+    # Stored normalized name for indexed lookups
+    name_normalized = models.TextField(db_index=True, default="")
+
     # Release metadata
     filename = models.TextField(db_index=True)
     packagetype = models.TextField(choices=PACKAGE_TYPES)
@@ -208,9 +208,13 @@ class PythonPackageContent(Content):
     PROTECTED_FROM_RECLAIM = False
     TYPE = "python"
     _pulp_domain = models.ForeignKey("core.Domain", default=get_domain_pk, on_delete=models.PROTECT)
-    name.register_lookup(NormalizeName)
     repo_key_fields = ("filename",)
 
+    @hook(BEFORE_SAVE)
+    def set_name_normalized(self):
+        """Pre-compute the normalized package name for indexed lookups."""
+        self.name_normalized = canonicalize_name(self.name)
+
     @staticmethod
     def init_from_artifact_and_relative_path(artifact, relative_path):
         """Used when downloading package from pull-through cache."""
@@ -363,6 +367,7 @@ class PythonRepository(Repository, AutoAddObjPermsMixin):
     PULL_THROUGH_SUPPORTED = True
 
     autopublish = models.BooleanField(default=False)
+    allow_package_substitution = models.BooleanField(default=True)
 
     class Meta:
         default_related_name = "%(app_label)s_%(model_name)s"
@@ -391,6 +396,25 @@ class PythonRepository(Repository, AutoAddObjPermsMixin):
     def finalize_new_version(self, new_version):
         """
         Remove duplicate packages that have the same filename.
+
+        When allow_package_substitution is False, reject any new version that would implicitly
+        replace existing content with different checksums (content substitution).
         """
+        if not self.allow_package_substitution:
+            self._check_for_package_substitution(new_version)
         remove_duplicates(new_version)
         validate_repo_version(new_version)
+
+    def _check_for_package_substitution(self, new_version):
+        """
+        Raise a ValidationError if newly added packages would replace existing packages that have
+        the same filename but a different sha256 checksum.
+        """
+        qs = PythonPackageContent.objects.filter(pk__in=new_version.content)
+        duplicates = collect_duplicates(qs, ("filename",))
+        if duplicates:
+            raise ValidationError(
+                "Found duplicate packages being added with the same filename but different checksums. "  # noqa: E501
+                "To allow this, set 'allow_package_substitution' to True on the repository. "
+                f"Conflicting packages: {duplicates}"
+            )

pulp_python/app/pypi/views.py

@@ -59,7 +59,7 @@ log = logging.getLogger(__name__)
 
 ORIGIN_HOST = settings.CONTENT_ORIGIN if settings.CONTENT_ORIGIN else settings.PYPI_API_HOSTNAME
 BASE_CONTENT_URL = urljoin(ORIGIN_HOST, settings.CONTENT_PATH_PREFIX)
-BASE_API_URL = urljoin(settings.PYPI_API_HOSTNAME, "pypi/")
+BASE_API_URL = urljoin(settings.PYPI_API_HOSTNAME, settings.PYPI_PATH_PREFIX)
 
 PYPI_SIMPLE_V1_HTML = "application/vnd.pypi.simple.v1+html"
 PYPI_SIMPLE_V1_JSON = "application/vnd.pypi.simple.v1+json"
@@ -303,7 +303,12 @@ class SimpleView(PackageUploadMixin, ViewSet):
         repo_version, content = self.get_rvc()
         if self.should_redirect(repo_version=repo_version):
             return redirect(urljoin(self.base_content_url, f"{path}/simple/"))
-        names = content.order_by("name").values_list("name", flat=True).distinct().iterator()
+        names = (
+            content.order_by("name_normalized")
+            .values_list("name", flat=True)
+            .distinct("name_normalized")
+            .iterator()
+        )
         media_type = request.accepted_renderer.media_type
         headers = {"X-PyPI-Last-Serial": str(PYPI_SERIAL_CONSTANT)}
 
@@ -360,8 +365,8 @@ class SimpleView(PackageUploadMixin, ViewSet):
             releases = self.pull_through_package_simple(normalized, path, self.distribution.remote)
         elif self.should_redirect(repo_version=repo_ver):
             return redirect(urljoin(self.base_content_url, f"{path}/simple/{normalized}/"))
-        if content:
-            local_packages = content.filter(name__normalize=normalized)
+        if content is not None:
+            local_packages = content.filter(name_normalized=normalized)
             packages = local_packages.values(
                 "filename",
                 "sha256",
@@ -454,7 +459,7 @@ class MetadataView(PyPIMixin, ViewSet):
             name = meta_path.parts[0]
         if name:
             normalized = canonicalize_name(name)
-            package_content = content.filter(name__normalize=normalized)
+            package_content = content.filter(name_normalized=normalized)
             # TODO Change this value to the Repo's serial value when implemented
             headers = {PYPI_LAST_SERIAL: str(PYPI_SERIAL_CONSTANT)}
             if settings.DOMAIN_ENABLED:
@@ -541,7 +546,7 @@ class ProvenanceView(PyPIMixin, ViewSet):
         repo_ver, content = self.get_rvc()
         if content:
             package_content = content.filter(
-                name__normalize=package, version=version, filename=filename
+                name_normalized=package, version=version, filename=filename
             ).first()
             if package_content:
                 provenance = self.get_provenances(repo_ver).filter(package=package_content).first()

pulp_python/app/replica.py

@@ -37,8 +37,7 @@ class PythonReplicator(Replicator):
         return None
 
     def repository_extra_fields(self, remote):
-        # Use autopublish since publications result in faster serving times
-        return {"autopublish": True}
+        return {"autopublish": False}
 
     def sync_params(self, repository, remote):
         return {"remote_pk": str(remote.pk), "repository_pk": str(repository.pk), "mirror": True}

pulp_python/app/serializers.py

@@ -4,10 +4,12 @@ import tempfile
 from gettext import gettext as _
 from django.conf import settings
 from django.db.utils import IntegrityError
+from drf_spectacular.utils import extend_schema_serializer
 from packaging.requirements import Requirement
 from rest_framework import serializers
 from pypi_attestations import AttestationError
 from pydantic import TypeAdapter, ValidationError
+from urllib.parse import urljoin
 
 from pulpcore.plugin import models as core_models
 from pulpcore.plugin import serializers as core_serializers
@@ -29,10 +31,15 @@ from pulp_python.app.utils import (
     parse_project_metadata,
 )
 
-
 log = logging.getLogger(__name__)
+PYPI_BASE_URL = urljoin(settings.PYPI_API_HOSTNAME, settings.PYPI_PATH_PREFIX)
 
 
+@extend_schema_serializer(
+    deprecate_fields=[
+        "autopublish",
+    ]
+)
 class PythonRepositorySerializer(core_serializers.RepositorySerializer):
     """
     Serializer for Python Repositories.
@@ -41,17 +48,36 @@ class PythonRepositorySerializer(core_serializers.RepositorySerializer):
     autopublish = serializers.BooleanField(
         help_text=_(
             "Whether to automatically create publications for new repository versions, "
-            "and update any distributions pointing to this repository."
+            "and update any distributions pointing to this repository. [Deprecated]"
         ),
         default=False,
         required=False,
     )
+    allow_package_substitution = serializers.BooleanField(
+        help_text=_(
+            "Whether to allow package substitution (replacing existing packages with packages "
+            "that have the same filename but a different checksum). When False, any new "
+            "repository version that would cause such a substitution will be rejected. This "
+            "applies to all repository version creation paths including uploads, modify, and "
+            "sync. When True (the default), package substitution is allowed."
+        ),
+        default=True,
+        required=False,
+    )
 
     class Meta:
-        fields = core_serializers.RepositorySerializer.Meta.fields + ("autopublish",)
+        fields = core_serializers.RepositorySerializer.Meta.fields + (
+            "autopublish",
+            "allow_package_substitution",
+        )
         model = python_models.PythonRepository
 
 
+@extend_schema_serializer(
+    deprecate_fields=[
+        "publication",
+    ]
+)
 class PythonDistributionSerializer(core_serializers.DistributionSerializer):
     """
     Serializer for Pulp distributions for the Python type.
@@ -59,7 +85,7 @@ class PythonDistributionSerializer(core_serializers.DistributionSerializer):
 
     publication = core_serializers.DetailRelatedField(
         required=False,
-        help_text=_("Publication to be served"),
+        help_text=_("Publication to be served. [Deprecated]"),
         view_name_pattern=r"publications(-.*/.*)?-detail",
         queryset=core_models.Publication.objects.exclude(complete=False),
         allow_null=True,
@@ -82,8 +108,8 @@ class PythonDistributionSerializer(core_serializers.DistributionSerializer):
     def get_base_url(self, obj):
         """Gets the base url."""
         if settings.DOMAIN_ENABLED:
-            return f"{settings.PYPI_API_HOSTNAME}/pypi/{get_domain().name}/{obj.base_path}/"
-        return f"{settings.PYPI_API_HOSTNAME}/pypi/{obj.base_path}/"
+            return urljoin(PYPI_BASE_URL, f"{get_domain().name}/{obj.base_path}/")
+        return urljoin(PYPI_BASE_URL, f"{obj.base_path}/")
 
     class Meta:
         fields = core_serializers.DistributionSerializer.Meta.fields + (
@@ -436,7 +462,7 @@ class PythonPackageContentSerializer(core_serializers.SingleArtifactContentUploa
         content = super().create(validated_data)
         if provenance:
             prov_sha256 = python_models.PackageProvenance.calculate_sha256(provenance)
-            prov_model, _ = python_models.PackageProvenance.objects.get_or_create(
+            prov_model, _created = python_models.PackageProvenance.objects.get_or_create(
                 sha256=prov_sha256,
                 _pulp_domain=get_domain(),
                 defaults={"package": content, "provenance": provenance},

pulp_python/app/settings.py

@@ -2,6 +2,7 @@ import socket
 
 PYTHON_GROUP_UPLOADS = False
 PYPI_API_HOSTNAME = "https://" + socket.getfqdn()
+PYPI_PATH_PREFIX = "/pypi/"
 
 DRF_ACCESS_POLICY = {
     "dynaconf_merge_unique": True,

pulp_python/app/tasks/publish.py

@@ -12,7 +12,6 @@ from pulp_python.app import models as python_models
 from pulp_python.app.serializers import PythonPublicationSerializer
 from pulp_python.app.utils import write_simple_index, write_simple_detail
 
-
 log = logging.getLogger(__name__)
 
 
@@ -61,9 +60,9 @@ def write_simple_api(publication):
         python_models.PythonPackageContent.objects.filter(
             pk__in=publication.repository_version.content, _pulp_domain=domain
         )
-        .order_by("name__normalize")
+        .order_by("name_normalized")
         .values_list("name", flat=True)
-        .distinct("name__normalize")
+        .distinct("name_normalized")
     )
 
     # write the root index, which lists all of the projects for which there is a package available
@@ -82,7 +81,7 @@ def write_simple_api(publication):
     packages = python_models.PythonPackageContent.objects.filter(
         pk__in=publication.repository_version.content, _pulp_domain=domain
     )
-    releases = packages.order_by("name__normalize").values("name", "filename", "sha256")
+    releases = packages.order_by("name_normalized").values("name", "filename", "sha256")
 
     ind = 0
     current_name = canonicalize_name(project_names[ind])

pulp_python/app/urls.py

@@ -10,9 +10,10 @@ from pulp_python.app.pypi.views import (
 )
 
 if settings.DOMAIN_ENABLED:
-    PYPI_API_URL = "pypi/<slug:pulp_domain>/<path:path>/"
+    PYPI_API_URL = "/<slug:pulp_domain>/<path:path>/"
 else:
-    PYPI_API_URL = "pypi/<path:path>/"
+    PYPI_API_URL = "/<path:path>/"
+PYPI_API_URL = settings.PYPI_PATH_PREFIX.strip("/") + PYPI_API_URL
 # TODO: Implement remaining PyPI endpoints
 # path("project/", PackageProject.as_view()), # Endpoints to nicely see contents of index
 # path("search/", PackageSearch.as_view()),

pulp_python/app/utils.py

@@ -20,7 +20,6 @@ from pulpcore.plugin.models import Artifact, Remote
 from pulpcore.plugin.exceptions import TimeoutException
 from pulpcore.plugin.util import get_domain
 
-
 log = logging.getLogger(__name__)
 
 

pulp_python/app/viewsets.py

@@ -1,19 +1,25 @@
 from bandersnatch.configuration import BandersnatchConfig
 from django.db import transaction
-from drf_spectacular.utils import extend_schema
+from django_filters import CharFilter
+from django_filters.rest_framework import filters as drf_filters
+from drf_spectacular.utils import extend_schema, extend_schema_view
+from packaging.utils import canonicalize_name
 from pathlib import Path
 from rest_framework import status
 from rest_framework.decorators import action
 from rest_framework.response import Response
+from rest_framework.serializers import ValidationError
 
 from pulpcore.plugin import viewsets as core_viewsets
 from pulpcore.plugin.actions import ModifyRepositoryActionMixin
 from pulpcore.plugin.models import RepositoryVersion
 from pulpcore.plugin.serializers import (
     AsyncOperationResponseSerializer,
+    RepositoryAddRemoveContentSerializer,
     RepositorySyncURLSerializer,
 )
 from pulpcore.plugin.tasking import check_content, dispatch
+from pulpcore.plugin.util import extract_pk
 
 from pulp_python.app import models as python_models
 from pulp_python.app import serializers as python_serializers
@@ -124,6 +130,43 @@ class PythonRepositoryViewSet(
         "python.pythonrepository_viewer": ["python.view_pythonrepository"],
     }
 
+    @extend_schema(
+        description="Trigger an asynchronous task to create a new repository version.",
+        summary="Modify Repository Content",
+        responses={202: AsyncOperationResponseSerializer},
+    )
+    @action(detail=True, methods=["post"], serializer_class=RepositoryAddRemoveContentSerializer)
+    def modify(self, request, pk):
+        """
+        Queues a task that creates a new RepositoryVersion by adding and removing content units.
+
+        If allow_package_substitution is False and the request is **only** adding packages, then a
+        package substitution check is performed to provide a quicker error response. Otherwise, the
+        check is delegated to the task.
+        """
+        repository = self.get_object()
+        if not repository.allow_package_substitution:
+            remove_content_units = request.data.get("remove_content_units", [])
+            if remove_content_units or "base_version" in request.data:
+                return super().modify(request, pk)
+            rvc = repository.latest_version().content
+            add_content_units = request.data.get("add_content_units", [])
+            content_ids = [extract_pk(x) for x in add_content_units]
+            packages = (
+                python_models.PythonPackageContent.objects.filter(pk__in=content_ids)
+                .exclude(pk__in=rvc)
+                .values("filename")
+            )
+            conflicting_packages = python_models.PythonPackageContent.objects.filter(
+                filename__in=packages, pk__in=rvc
+            )
+            if conflicting_packages.exists():
+                raise ValidationError(
+                    "Found duplicate packages being added with the same filename but different checksums. "  # noqa: E501
+                    f"Existing conflicting packages: {conflicting_packages.values('filename', 'sha256', 'pk')}"  # noqa: E501
+                )
+        return super().modify(request, pk)
+
     @extend_schema(
         summary="Repair metadata",
         responses={202: AsyncOperationResponseSerializer},
@@ -329,15 +372,34 @@ class PythonDistributionViewSet(core_viewsets.DistributionViewSet, core_viewsets
     }
 
 
+class NormalizedNameFilter(CharFilter):
+    """Filter that normalizes the input and queries name_normalized."""
+
+    def filter(self, qs, value):
+        if value:
+            if isinstance(value, list):
+                value = [canonicalize_name(v) for v in value]
+            else:
+                value = canonicalize_name(value)
+        return super().filter(qs, value)
+
+
+class NormalizedNameInFilter(drf_filters.BaseInFilter, NormalizedNameFilter):
+    """In-filter that normalizes each input value and queries name_normalized."""
+
+
 class PythonPackageContentFilter(core_viewsets.ContentFilter):
     """
     FilterSet for PythonPackageContent.
     """
 
+    name = NormalizedNameFilter(field_name="name_normalized", lookup_expr="exact")
+    name__in = NormalizedNameInFilter(field_name="name_normalized", lookup_expr="in")
+    name__contains = CharFilter(field_name="name", lookup_expr="contains")
+
     class Meta:
         model = python_models.PythonPackageContent
         fields = {
-            "name": ["exact", "in", "contains"],
             "author": ["exact", "in", "contains"],
             "packagetype": ["exact", "in"],
             "requires_python": ["exact", "in", "contains"],
@@ -605,11 +667,21 @@ class PythonRemoteViewSet(core_viewsets.RemoteViewSet, core_viewsets.RolesMixin)
         return Response(remote.data, status=status.HTTP_201_CREATED, headers=headers)
 
 
+@extend_schema_view(
+    list=extend_schema(deprecated=True),
+    add_role=extend_schema(deprecated=True),
+    remove_role=extend_schema(deprecated=True),
+    list_roles=extend_schema(deprecated=True),
+    my_permissions=extend_schema(deprecated=True),
+)
 class PythonPublicationViewSet(core_viewsets.PublicationViewSet, core_viewsets.RolesMixin):
     """
-    <!-- User-facing documentation, rendered as html-->
     Python Publications refer to the Python Package content in a repository version, and include
-    metadata about that content.
+    metadata about that content. [Deprecated] See
+    https://pulpproject.org/pulp_python/docs/user/guides/host/#migrating-off-publications for more
+    information.
+
+    Use a repository or repository-version to serve content instead.
 
     """
 
@@ -677,7 +749,7 @@ class PythonPublicationViewSet(core_viewsets.PublicationViewSet, core_viewsets.R
         "python.pythonpublication_viewer": ["python.view_pythonpublication"],
     }
 
-    @extend_schema(responses={202: AsyncOperationResponseSerializer})
+    @extend_schema(responses={202: AsyncOperationResponseSerializer}, deprecated=True)
     def create(self, request):
         """
         <!-- User-facing documentation, rendered as html-->
@@ -698,3 +770,11 @@ class PythonPublicationViewSet(core_viewsets.PublicationViewSet, core_viewsets.R
             kwargs={"repository_version_pk": str(repository_version.pk)},
         )
         return core_viewsets.OperationPostponedResponse(result, request)
+
+    @extend_schema(deprecated=True)
+    def retrieve(self, request, *args, **kwargs):
+        return super().retrieve(request, *args, **kwargs)
+
+    @extend_schema(deprecated=True)
+    def destroy(self, request, *args, **kwargs):
+        return super().destroy(request, *args, **kwargs)

pulp_python/pytest_plugin.py

@@ -13,7 +13,6 @@ from pulp_python.tests.functional.constants import (
     PYTHON_WHEEL_FILENAME,
 )
 
-
 # Bindings API Fixtures
 
 

pulp_python/tests/functional/api/test_crud_content_unit.py

@@ -144,44 +144,41 @@ def test_content_create_new_metadata(
         assert getattr(content, k) == v
 
 
+def get_package_url(package, filename):
+    with PyPISimple() as client:
+        page = client.get_project_page(package)
+        for package in page.packages:
+            if package.filename == filename:
+                return package.url
+        raise ValueError(f"Package {filename} not found")
+
+
 @pytest.mark.parallel
 def test_upload_metadata_23_spec(python_content_factory):
     """Test that packages using metadata spec 2.3 can be uploaded to pulp."""
     filename = "urllib3-2.2.2-py3-none-any.whl"
-    with PyPISimple() as client:
-        page = client.get_project_page("urllib3")
-        for package in page.packages:
-            if package.filename == filename:
-                content = python_content_factory(filename, url=package.url)
-                assert content.metadata_version == "2.3"
-                break
+    url = get_package_url("urllib3", filename)
+    content = python_content_factory(filename, url=url)
+    assert content.metadata_version == "2.3"
 
 
 @pytest.mark.parallel
 def test_upload_requires_python(python_content_factory):
     filename = "pip-24.3.1-py3-none-any.whl"
-    with PyPISimple() as client:
-        page = client.get_project_page("pip")
-        for package in page.packages:
-            if package.filename == filename:
-                content = python_content_factory(filename, url=package.url)
-                assert content.requires_python == ">=3.8"
-                break
+    url = get_package_url("pip", filename)
+    content = python_content_factory(filename, url=url)
+    assert content.requires_python == ">=3.8"
 
 
 @pytest.mark.parallel
 def test_upload_metadata_24_spec(python_content_factory):
     """Test that packages using metadata spec 2.4 can be uploaded to pulp."""
     filename = "setuptools-80.9.0.tar.gz"
-    with PyPISimple() as client:
-        page = client.get_project_page("setuptools")
-        for package in page.packages:
-            if package.filename == filename:
-                content = python_content_factory(filename, url=package.url)
-                assert content.metadata_version == "2.4"
-                assert content.license_expression == "MIT"
-                assert content.license_file == '["LICENSE"]'
-                break
+    url = get_package_url("setuptools", filename)
+    content = python_content_factory(filename, url=url)
+    assert content.metadata_version == "2.4"
+    assert content.license_expression == "MIT"
+    assert content.license_file == '["LICENSE"]'
 
 
 @pytest.mark.parallel
@@ -203,3 +200,108 @@ def test_package_creation_with_metadata(
     ensure_metadata(
         pulp_content_url, distro.base_path, PYTHON_WHEEL_FILENAME, "shelf-reader", "0.1"
     )
+
+
+@pytest.mark.parallel
+def test_disallow_package_substitution(
+    monitor_task,
+    python_bindings,
+    python_repo_factory,
+):
+    """
+    When allow_package_substitution=False, any new repository version that would substitute
+    existing content (same filename, different sha256) is rejected. This applies to both
+    content uploads and repository modify operations. Re-adding content with a matching
+    sha256 succeeds idempotently.
+    """
+    repo = python_repo_factory(allow_package_substitution=False)
+    msg1 = "Found duplicate packages being added with the same filename but different checksums."
+    msg2 = "To allow this, set 'allow_package_substitution' to True on the repository."
+
+    # First upload succeeds
+    content_body = {"relative_path": PYTHON_EGG_FILENAME, "file_url": PYTHON_EGG_URL}
+    response = python_bindings.ContentPackagesApi.create(repository=repo.pulp_href, **content_body)
+    task = monitor_task(response.task)
+    content = python_bindings.ContentPackagesApi.read(task.created_resources[-1])
+    assert content.filename == PYTHON_EGG_FILENAME
+
+    # Re-upload same artifact with same filename — should succeed (idempotent)
+    response = python_bindings.ContentPackagesApi.create(repository=repo.pulp_href, **content_body)
+    task = monitor_task(response.task)
+    assert content.pulp_href in task.created_resources
+    repo = python_bindings.RepositoriesPythonApi.read(repo.pulp_href)
+    assert repo.latest_version_href.endswith("/1/")
+
+    # Upload a different artifact with the same filename — should be rejected
+    second_filename = "pip-26.0.1.tar.gz"
+    second_url = get_package_url("pip", second_filename)
+    content_body2 = {"relative_path": PYTHON_EGG_FILENAME, "file_url": second_url}
+    with pytest.raises(PulpTaskError) as exc:
+        response = python_bindings.ContentPackagesApi.create(
+            repository=repo.pulp_href, **content_body2
+        )
+        monitor_task(response.task)
+    assert msg1 in exc.value.task.error["description"]
+    assert msg2 in exc.value.task.error["description"]
+
+    # Also create the conflicting content without a repo, then try to add via modify
+    response = python_bindings.ContentPackagesApi.create(**content_body2)
+    task = monitor_task(response.task)
+    content2 = python_bindings.ContentPackagesApi.read(task.created_resources[0])
+    # When body only contains add_content_units, the request will be rejected
+    body = {"add_content_units": [content2.pulp_href]}
+    with pytest.raises(python_bindings.ApiException) as exc:
+        python_bindings.RepositoriesPythonApi.modify(repo.pulp_href, body)
+    assert msg1 in exc.value.body
+    # Else when body contains other fields, the check will be delegated to the task
+    body = {"add_content_units": [content2.pulp_href], "base_version": repo.latest_version_href}
+    with pytest.raises(PulpTaskError) as exc:
+        monitor_task(python_bindings.RepositoriesPythonApi.modify(repo.pulp_href, body).task)
+    assert msg1 in exc.value.task.error["description"]
+    assert msg2 in exc.value.task.error["description"]
+
+    # Verify the repository still has only the original content
+    repo = python_bindings.RepositoriesPythonApi.read(repo.pulp_href)
+    assert repo.latest_version_href.endswith("/1/")
+    # Check that you can remove the conflicting content and add the new content
+    body = {"remove_content_units": [content.pulp_href], "add_content_units": [content2.pulp_href]}
+    response = python_bindings.RepositoriesPythonApi.modify(repo.pulp_href, body)
+    task = monitor_task(response.task)
+    repo = python_bindings.RepositoriesPythonApi.read(repo.pulp_href)
+    assert repo.latest_version_href.endswith("/2/")
+
+
+@pytest.mark.parallel
+def test_package_substitution_allowed_by_default(
+    monitor_task,
+    python_bindings,
+    python_repo_factory,
+):
+    """
+    By default (allow_package_substitution=True), uploading a file with the same filename
+    but different sha256 replaces the existing content in the repository.
+    """
+    repo = python_repo_factory()
+    assert repo.allow_package_substitution is True
+
+    content_body = {"relative_path": PYTHON_EGG_FILENAME, "file_url": PYTHON_EGG_URL}
+    response = python_bindings.ContentPackagesApi.create(repository=repo.pulp_href, **content_body)
+    task = monitor_task(response.task)
+    content1 = python_bindings.ContentPackagesApi.read(task.created_resources[-1])
+
+    # Upload a different artifact with the same filename — should succeed and replace
+    second_filename = "pip-26.0.tar.gz"
+    second_url = get_package_url("pip", second_filename)
+    content_body = {"relative_path": PYTHON_EGG_FILENAME, "file_url": second_url}
+    response = python_bindings.ContentPackagesApi.create(repository=repo.pulp_href, **content_body)
+    task = monitor_task(response.task)
+    content2 = python_bindings.ContentPackagesApi.read(task.created_resources[-1])
+    assert content2.pulp_href != content1.pulp_href
+
+    # Verify the repo has only the new content
+    repo = python_bindings.RepositoriesPythonApi.read(repo.pulp_href)
+    content_list = python_bindings.ContentPackagesApi.list(
+        repository_version=repo.latest_version_href
+    )
+    assert content_list.count == 1
+    assert content_list.results[0].sha256 == content2.sha256

pulp_python/tests/functional/api/test_domains.py

@@ -12,7 +12,6 @@ from pulp_python.tests.functional.constants import (
 )
 from urllib.parse import urlsplit
 
-
 pytestmark = pytest.mark.skipif(not settings.DOMAIN_ENABLED, reason="Domain not enabled")
 
 
@@ -182,7 +181,6 @@ def test_domain_content_replication(
         python_bindings.ContentPackagesApi,
         python_bindings.RepositoriesPythonApi,
         python_bindings.RemotesPythonApi,
-        python_bindings.PublicationsPypiApi,
         python_bindings.DistributionsPypiApi,
     ):
         result = api_client.list(pulp_domain=replica_domain.name)
@@ -204,9 +202,6 @@ def test_domain_content_replication(
 
     response = python_bindings.ContentPackagesApi.list(pulp_domain=replica_domain.name)
     assert PYTHON_SM_PACKAGE_COUNT + 1 == response.count
-    response = python_bindings.PublicationsPypiApi.list(pulp_domain=replica_domain.name)
-    assert 2 == response.count
-    add_to_cleanup(python_bindings.PublicationsPypiApi, response.results[0])
     assert 1 == python_bindings.RepositoriesPythonApi.list(pulp_domain=replica_domain.name).count
     assert 1 == python_bindings.DistributionsPypiApi.list(pulp_domain=replica_domain.name).count
     assert 1 == python_bindings.RemotesPythonApi.list(pulp_domain=replica_domain.name).count

pulp_python/tests/functional/api/test_export_import.py

@@ -14,7 +14,6 @@ from pulp_python.tests.functional.constants import (
     PYTHON_SM_PROJECT_SPECIFIER,
 )
 
-
 pytestmark = [
     pytest.mark.skipif(
         "/tmp" not in settings.ALLOWED_EXPORT_PATHS,

pulp_python/tests/functional/api/test_pypi_apis.py

@@ -16,7 +16,6 @@ from pulp_python.tests.functional.constants import (
 )
 from pulp_python.tests.functional.utils import ensure_metadata
 
-
 PYPI_LAST_SERIAL = "X-PYPI-LAST-SERIAL"
 
 

pulp_python/tests/functional/constants.py

@@ -1,7 +1,6 @@
 import os
 from urllib.parse import urljoin
 
-
 PULP_FIXTURES_BASE_URL = os.environ.get(
     "REMOTE_FIXTURES_ORIGIN", "https://fixtures.pulpproject.org/"
 )

{pulp_python-3.26.1.dist-info → pulp_python-3.28.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulp-python
-Version: 3.26.1
+Version: 3.28.0
 Summary: pulp-python plugin for the Pulp Project
 Author-email: Pulp Team <pulp-list@redhat.com>
 Project-URL: Homepage, https://pulpproject.org
@@ -20,7 +20,7 @@ Classifier: Programming Language :: Python :: 3.13
 Requires-Python: >=3.11
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: pulpcore<3.115,>=3.85.3
+Requires-Dist: pulpcore<3.115,>=3.105.0
 Requires-Dist: pkginfo<1.13.0,>=1.12.0
 Requires-Dist: bandersnatch<6.7,>=6.6.0
 Requires-Dist: pypi-simple<2.0,>=1.8.0

{pulp_python-3.26.1.dist-info → pulp_python-3.28.0.dist-info}/RECORD

@@ -1,16 +1,16 @@
 pulp_python/__init__.py,sha256=GIuTLoBTc-07dSLJUh8xrZPRz8x-jJ61pfR0J1IjnzI,65
-pulp_python/pytest_plugin.py,sha256=r6-flyyEed8lmIQii_zBWPqKN7tKcdr_sGvjixW3N98,8605
-pulp_python/app/__init__.py,sha256=6mh2SzpYY028Oh_Bts692hnCpyAKVYil7zdzIOj1vXM,2488
-pulp_python/app/global_access_conditions.py,sha256=y8NwdgAoaB5iY7EzSBoCQOgVopSHpVMc55FKJmCGGlI,1081
+pulp_python/pytest_plugin.py,sha256=EBivPJa39ZE1QaDWea9candeeJL_W_cBk6Q7Onhw4bE,8604
+pulp_python/app/__init__.py,sha256=VQR1pE7NwTGjpbsrocrfmt0jkvIahx4QbL0lV5knq3A,2488
+pulp_python/app/global_access_conditions.py,sha256=MZJtyoVsr-4hRaty6mKDqh3caOHd5UKJjEWLV2crOLs,1080
 pulp_python/app/modelresource.py,sha256=dogoBWibBmQyFpcV-Hp1lu7D2WwSECa5PEShWSIg7mg,1248
-pulp_python/app/models.py,sha256=j2U__78AMhyYIiRKyA_o5_55EvqkZSJVh4QWmpGtX-A,14055
+pulp_python/app/models.py,sha256=954pFPP05zbwRQmicA0NxFT3VIEur17HFOxPGSYBgp0,15218
 pulp_python/app/provenance.py,sha256=iyhkuNahHiTDK0Djrd4-PlgErA5SJVI0uQOIPj46tEI,2352
-pulp_python/app/replica.py,sha256=DaBq5biQARMePmoHuAZbYSn3oRR-VOHztzuw8MCxQA0,1877
-pulp_python/app/serializers.py,sha256=GODYeagBCeSi3VuI87c2ELw4dQPqjZDXb70cch_bDpw,28427
-pulp_python/app/settings.py,sha256=HXJK3rr0LVTOv1xBS5cZvVtz6j4SvFZl0PH3sLTcu2w,227
-pulp_python/app/urls.py,sha256=dw6SQ7N6SIxHALAjTdGg3dPL3-54MVoDzUKfqXA2epI,1328
-pulp_python/app/utils.py,sha256=Y0lYDMCsGaIh8MKU6Wu3n57LuNzN3zKn0rVP_XZKPVE,25777
-pulp_python/app/viewsets.py,sha256=BI18m7a1Yo5AkKf0KSgvWowavT3hslADdgDBuR_V0Hw,27712
+pulp_python/app/replica.py,sha256=GHSLLKUVg4SRMEsMnesxI2xgB0Z83AzrWY1-UbACF0g,1802
+pulp_python/app/serializers.py,sha256=67D1fGg-GxD3iQlEo-TI-3JOyaI2-VHqU_UNn9RDha8,29433
+pulp_python/app/settings.py,sha256=Cyc_p6U0HQjKpyrRL6JFrK3R7RMQJ9MAgNMJCfzPEiA,255
+pulp_python/app/urls.py,sha256=3-UG9-bkPW_bs8362XBnxbpGqQetyuMOfPaayadMYFo,1387
+pulp_python/app/utils.py,sha256=RrKEqVnsorf2UICSjR3WnH8X1m-XjoVIiZs8u0JrhfM,25776
+pulp_python/app/viewsets.py,sha256=yAXvuHNLdOkLznwiqIPSQPKf8-ttPGsmWy-mG1cbO38,31410
 pulp_python/app/management/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 pulp_python/app/management/commands/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 pulp_python/app/management/commands/repair-python-metadata.py,sha256=i-mC3UYxIiHJoknRV4xZZ7cQ44lyqWshpbaeYi7as8E,4457
@@ -34,12 +34,14 @@ pulp_python/app/migrations/0016_pythonpackagecontent_metadata_sha256.py,sha256=f
 pulp_python/app/migrations/0017_pythonpackagecontent_size.py,sha256=jly-NWXl82HqkIHEToMjxt27GXv46XAHSmj2ghZpsVQ,1737
 pulp_python/app/migrations/0018_packageprovenance.py,sha256=FU67aw6u77TjlPuzxRrRyq76rXa7b14Dk-c_8rlemnI,1940
 pulp_python/app/migrations/0019_create_missing_metadata_artifacts.py,sha256=glHecwu0X17RdRHo1MvjDRvrqpJ7EgxvYXy1FOXJvn4,817
+pulp_python/app/migrations/0020_pythonpackagecontent_name_normalized.py,sha256=n-gtLKmhDiydgkM5Fv8OisoFZYPPOhOa8-9nExCCq14,1317
+pulp_python/app/migrations/0021_pythonrepository_upload_duplicate_filenames.py,sha256=Yx-Cgk8DR9J9e9ht00xy0s6ogh2Rh5JS7AbdzSngKLY,384
 pulp_python/app/migrations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 pulp_python/app/pypi/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 pulp_python/app/pypi/serializers.py,sha256=w6_doLpaO8Dnzur57MYrTIqEP4I3LI8biu9ipLC66fk,5028
-pulp_python/app/pypi/views.py,sha256=ksQflLQSwcsmoJtQG6B440rQ8CPF_bSTdWXpYJFEAg4,21006
+pulp_python/app/pypi/views.py,sha256=s53NgE_LiWKVJJdLMOwj8XG23vvKObmSI95cLklkXtw,21127
 pulp_python/app/tasks/__init__.py,sha256=lTFpVvpDKbqv9RC0b2RYU8Bo6svDjrA-djt16pADFr8,284
-pulp_python/app/tasks/publish.py,sha256=b0JwHZvnIsJ8gEc_GJm6lUKQC3Po1lxW1TcP2q59WXA,4335
+pulp_python/app/tasks/publish.py,sha256=_1SymLwmJsZepBLdecb69ijnnTeqiH054I6n4HuSIVo,4334
 pulp_python/app/tasks/repair.py,sha256=_SACezEsnal8VnSGR91yTI-kJ6axZaEIBrhS1hkO8JA,11723
 pulp_python/app/tasks/sync.py,sha256=hBA4iyY9HFbLZMFWqVJ4W3Q3NAN122QVaOSEGSSnMtc,12868
 pulp_python/app/tasks/upload.py,sha256=12E9ihDqbe9Ihij9o6p_yuV6WF1Yyt6zPeOI2dzCEms,5697
@@ -49,20 +51,20 @@ pulp_python/app/webserver_snippets/apache.conf,sha256=3frHSl2YV_8pJPscaFxMVo7Hmx
 pulp_python/app/webserver_snippets/nginx.conf,sha256=gMqZGFefsTJVVx9YRxpHVS7NMEll9CzOseYdtLr3Avc,344
 pulp_python/tests/__init__.py,sha256=4Yz43a8s-KyhdHFb5eEhIIvH72807Y84uAHnG5bO5y0,31
 pulp_python/tests/functional/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-pulp_python/tests/functional/constants.py,sha256=lUkMLsPUOeF7duMB_epr65gDMybLu-JZDWNFKT2Ybio,13820
+pulp_python/tests/functional/constants.py,sha256=SvzlxGQz1I-p3JEBSqNz9qoAYfq5yhGsqtYoJpCOioU,13819
 pulp_python/tests/functional/utils.py,sha256=ZmOVSa94o0KvH7l42YwuUAcNJo8Eb733QBH2G6nGkeQ,5901
 pulp_python/tests/functional/api/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 pulp_python/tests/functional/api/test_attestations.py,sha256=_opUZT65c5H2j_8ous-nKGHmDOw8EMjxdooTIQhiXQ8,8640
 pulp_python/tests/functional/api/test_auto_publish.py,sha256=uCIt4LsO61oMk3bDs3LMQDJI8zkKqvY0b1uX16bTxzM,1747
 pulp_python/tests/functional/api/test_consume_content.py,sha256=QUOZ_bQ_Ortzitc7sjlMEJzRhPm00wayxjZvEeK18jI,1000
-pulp_python/tests/functional/api/test_crud_content_unit.py,sha256=GbCDRY5iaLSRvPAvhz1a3mrYu_WN2lOEnFLltT6yL54,8756
+pulp_python/tests/functional/api/test_crud_content_unit.py,sha256=IjkyVC761ZTOhdM3ksT_5zvvWhMk326BSJlUyql0vFM,13793
 pulp_python/tests/functional/api/test_crud_publications.py,sha256=uoTGHbhKq_mYOYtNV8Tt9cyhzY0zsoG1DhYrfIdYcMc,5646
 pulp_python/tests/functional/api/test_crud_remotes.py,sha256=uRo51X3MDWIls4Fdxw5unvU47_JyyLEg2w41ByvDcmY,5811
-pulp_python/tests/functional/api/test_domains.py,sha256=RtQWpp78Oq0Vq1V_-sbBBIo9E8jR_lkcKMjgH6--lWI,10453
+pulp_python/tests/functional/api/test_domains.py,sha256=owbvFxOKDuAVX2PUpsO0olAmQmIKFThBqnQtjfKbS8Y,10210
 pulp_python/tests/functional/api/test_download_content.py,sha256=msnsKpU6TGT8eNu6e0uFa4fte6hj85OTexwOHdf66-c,4950
-pulp_python/tests/functional/api/test_export_import.py,sha256=A_LkhvnoXzm1-F7Qy8dZZcpDo2BPngnhjf55T0bH20E,4513
+pulp_python/tests/functional/api/test_export_import.py,sha256=QciJ7Pdv6HSv3mKGqKSNW5g9M8e9tkWcapRQ1PUxabU,4512
 pulp_python/tests/functional/api/test_full_mirror.py,sha256=npBj0IR10JUmjZyBY99NAGc8t5Xjbzl-y__69X9Eh1E,12045
-pulp_python/tests/functional/api/test_pypi_apis.py,sha256=aQuZy_OO767fT0arc0syE6qtYkFjh0nEmp8Gqo9RDj4,11692
+pulp_python/tests/functional/api/test_pypi_apis.py,sha256=sdovsmCb88aDaEqTe_RKXiBJDaAx5BRRaT1oNPbIAfo,11691
 pulp_python/tests/functional/api/test_pypi_simple_api.py,sha256=UzO3K3GMqiDUsAMWlxy9xM3kYtnD6e2WYNtwlJWYm-U,7251
 pulp_python/tests/functional/api/test_rbac.py,sha256=cy1RQHvWKbE4f4aPu33ZdIUBiJBnW8aOXKlDHHcCuxo,10512
 pulp_python/tests/functional/api/test_repair.py,sha256=8tW4jgR4pAsAswsblZM2NKdGAKnh1zuH7572k2GO4ag,12908
@@ -73,9 +75,9 @@ pulp_python/tests/functional/assets/shelf-reader-0.1.tar.gz.publish.attestation,
 pulp_python/tests/functional/assets/shelf_reader-0.1-py2-none-any.whl.publish.attestation,sha256=muTQ8dqYSSdx76DlaPjB1REcNIS-aak-Na0TkASxu8M,10426
 pulp_python/tests/unit/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 pulp_python/tests/unit/test_models.py,sha256=TBI0yKsrdbnJSPeBFfxSqhXK7zaNvR6qg5JehGH3Pds,229
-pulp_python-3.26.1.dist-info/licenses/LICENSE,sha256=2ylvL381vKOhdO-w6zkrOxe9lLNBhRQpo9_0EbHC_HM,18046
-pulp_python-3.26.1.dist-info/METADATA,sha256=17f-Cq_Rg-n3Nq4H1B0fbY5nEyvZrOZOPYOrTkmnsHk,1743
-pulp_python-3.26.1.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
-pulp_python-3.26.1.dist-info/entry_points.txt,sha256=HvqLEXjw_dS5jqAwnE5JiRZFE6f-y5SRtitKLPml2To,115
-pulp_python-3.26.1.dist-info/top_level.txt,sha256=X0hXgXc_bpbiKqVrkt8jD5_QEiQviKbHDwveQcOcJjo,12
-pulp_python-3.26.1.dist-info/RECORD,,
+pulp_python-3.28.0.dist-info/licenses/LICENSE,sha256=2ylvL381vKOhdO-w6zkrOxe9lLNBhRQpo9_0EbHC_HM,18046
+pulp_python-3.28.0.dist-info/METADATA,sha256=WvS2V5FUZUE3BYiWfMg9SBMxgC__4zGZHi5rDh4orLU,1744
+pulp_python-3.28.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+pulp_python-3.28.0.dist-info/entry_points.txt,sha256=HvqLEXjw_dS5jqAwnE5JiRZFE6f-y5SRtitKLPml2To,115
+pulp_python-3.28.0.dist-info/top_level.txt,sha256=X0hXgXc_bpbiKqVrkt8jD5_QEiQviKbHDwveQcOcJjo,12
+pulp_python-3.28.0.dist-info/RECORD,,