pulp-python 3.27.0__tar.gz → 3.28.0__tar.gz

{pulp_python-3.27.0 → pulp_python-3.28.0}/CHANGES.md

@@ -8,6 +8,23 @@
 
 [//]: # (towncrier release notes start)
 
+## 3.28.0 (2026-03-27) {: #3.28.0 }
+
+#### Features {: #3.28.0-feature }
+
+- Added the name_normalized field to PythonPackageContent model with a database index to replace
+  runtime regex normalization, reducing database load for package name lookups.
+  [#1159](https://github.com/pulp/pulp_python/issues/1159)
+- Added a new `allow_package_substitution` boolean field to PythonRepository (default: True).
+  When set to False, any new repository version that would implicitly replace existing content
+  with content that has the same filename but a different sha256 checksum is rejected. This
+  applies to all repository version creation paths including uploads, modify, and sync. Content
+  with a matching checksum is allowed through idempotently.
+  [#1162](https://github.com/pulp/pulp_python/issues/1162)
+- Added new setting PYPI_PATH_PREFIX to allow for customizing the path prefix for the PyPI API.
+
+---
+
 ## 3.27.0 (2026-03-17) {: #3.27.0 }
 
 #### Bugfixes {: #3.27.0-bugfix }

{pulp_python-3.27.0 → pulp_python-3.28.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulp-python
-Version: 3.27.0
+Version: 3.28.0
 Summary: pulp-python plugin for the Pulp Project
 Author-email: Pulp Team <pulp-list@redhat.com>
 Project-URL: Homepage, https://pulpproject.org
@@ -20,7 +20,7 @@ Classifier: Programming Language :: Python :: 3.13
 Requires-Python: >=3.11
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: pulpcore<3.115,>=3.85.3
+Requires-Dist: pulpcore<3.115,>=3.105.0
 Requires-Dist: pkginfo<1.13.0,>=1.12.0
 Requires-Dist: bandersnatch<6.7,>=6.6.0
 Requires-Dist: pypi-simple<2.0,>=1.8.0

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/app/__init__.py

@@ -10,7 +10,7 @@ class PulpPythonPluginAppConfig(PulpPluginAppConfig):
 
     name = "pulp_python.app"
     label = "python"
-    version = "3.27.0"
+    version = "3.28.0"
     python_package_name = "pulp-python"
     domain_compatible = True
 

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/app/global_access_conditions.py

@@ -1,6 +1,5 @@
 from django.conf import settings
 
-
 # Access Condition methods that can be used with PyPI access policies
 
 

pulp_python-3.28.0/pulp_python/app/migrations/0020_pythonpackagecontent_name_normalized.py

@@ -0,0 +1,37 @@
+import re
+
+from django.db import migrations, models, transaction
+
+
+def populate_name_normalized(apps, schema_editor):
+    """Populate name_normalized for existing PythonPackageContent rows."""
+    PythonPackageContent = apps.get_model("python", "PythonPackageContent")
+    package_bulk = []
+    normalize_re = re.compile(r"[-_.]+")
+
+    for package in PythonPackageContent.objects.only("pk", "name").iterator():
+        package.name_normalized = normalize_re.sub("-", package.name).lower()
+        package_bulk.append(package)
+        if len(package_bulk) == 100000:
+            with transaction.atomic():
+                PythonPackageContent.objects.bulk_update(package_bulk, ["name_normalized"])
+                package_bulk = []
+    if package_bulk:
+        with transaction.atomic():
+            PythonPackageContent.objects.bulk_update(package_bulk, ["name_normalized"])
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("python", "0019_create_missing_metadata_artifacts"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="pythonpackagecontent",
+            name="name_normalized",
+            field=models.TextField(db_index=True, default=""),
+        ),
+        migrations.RunPython(populate_name_normalized, migrations.RunPython.noop, elidable=True),
+    ]

pulp_python-3.28.0/pulp_python/app/migrations/0021_pythonrepository_upload_duplicate_filenames.py

@@ -0,0 +1,16 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("python", "0020_pythonpackagecontent_name_normalized"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="pythonrepository",
+            name="allow_package_substitution",
+            field=models.BooleanField(default=True),
+        ),
+    ]

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/app/models.py

@@ -11,6 +11,7 @@ from django_lifecycle import (
     BEFORE_SAVE,
     hook,
 )
+from rest_framework.serializers import ValidationError
 from pulpcore.plugin.models import (
     AutoAddObjPermsMixin,
     Content,
@@ -31,7 +32,11 @@ from .utils import (
     PYPI_LAST_SERIAL,
     PYPI_SERIAL_CONSTANT,
 )
-from pulpcore.plugin.repo_version_utils import remove_duplicates, validate_repo_version
+from pulpcore.plugin.repo_version_utils import (
+    collect_duplicates,
+    remove_duplicates,
+    validate_repo_version,
+)
 from pulpcore.plugin.util import get_domain_pk, get_domain
 
 log = getLogger(__name__)
@@ -115,7 +120,7 @@ class PythonDistribution(Distribution, AutoAddObjPermsMixin):
         if name:
             normalized = canonicalize_name(name)
             package_content = PythonPackageContent.objects.filter(
-                pk__in=self.publication.repository_version.content, name__normalize=normalized
+                pk__in=self.publication.repository_version.content, name_normalized=normalized
             )
             # TODO Change this value to the Repo's serial value when implemented
             headers = {PYPI_LAST_SERIAL: str(PYPI_SERIAL_CONSTANT)}
@@ -136,14 +141,6 @@ class PythonDistribution(Distribution, AutoAddObjPermsMixin):
         ]
 
 
-class NormalizeName(models.Transform):
-    """A transform field to normalize package names according to PEP426."""
-
-    function = "REGEXP_REPLACE"
-    template = "LOWER(%(function)s(%(expressions)s, '(\.|_|-)', '-', 'ig'))"  # noqa:W605
-    lookup_name = "normalize"
-
-
 class PythonPackageContent(Content):
     """
     A Content Type representing Python's Distribution Package.
@@ -195,6 +192,9 @@ class PythonPackageContent(Content):
     license_expression = models.TextField()
     license_file = models.JSONField(default=list)
 
+    # Stored normalized name for indexed lookups
+    name_normalized = models.TextField(db_index=True, default="")
+
     # Release metadata
     filename = models.TextField(db_index=True)
     packagetype = models.TextField(choices=PACKAGE_TYPES)
@@ -208,9 +208,13 @@ class PythonPackageContent(Content):
     PROTECTED_FROM_RECLAIM = False
     TYPE = "python"
     _pulp_domain = models.ForeignKey("core.Domain", default=get_domain_pk, on_delete=models.PROTECT)
-    name.register_lookup(NormalizeName)
     repo_key_fields = ("filename",)
 
+    @hook(BEFORE_SAVE)
+    def set_name_normalized(self):
+        """Pre-compute the normalized package name for indexed lookups."""
+        self.name_normalized = canonicalize_name(self.name)
+
     @staticmethod
     def init_from_artifact_and_relative_path(artifact, relative_path):
         """Used when downloading package from pull-through cache."""
@@ -363,6 +367,7 @@ class PythonRepository(Repository, AutoAddObjPermsMixin):
     PULL_THROUGH_SUPPORTED = True
 
     autopublish = models.BooleanField(default=False)
+    allow_package_substitution = models.BooleanField(default=True)
 
     class Meta:
         default_related_name = "%(app_label)s_%(model_name)s"
@@ -391,6 +396,25 @@ class PythonRepository(Repository, AutoAddObjPermsMixin):
     def finalize_new_version(self, new_version):
         """
         Remove duplicate packages that have the same filename.
+
+        When allow_package_substitution is False, reject any new version that would implicitly
+        replace existing content with different checksums (content substitution).
         """
+        if not self.allow_package_substitution:
+            self._check_for_package_substitution(new_version)
         remove_duplicates(new_version)
         validate_repo_version(new_version)
+
+    def _check_for_package_substitution(self, new_version):
+        """
+        Raise a ValidationError if newly added packages would replace existing packages that have
+        the same filename but a different sha256 checksum.
+        """
+        qs = PythonPackageContent.objects.filter(pk__in=new_version.content)
+        duplicates = collect_duplicates(qs, ("filename",))
+        if duplicates:
+            raise ValidationError(
+                "Found duplicate packages being added with the same filename but different checksums. "  # noqa: E501
+                "To allow this, set 'allow_package_substitution' to True on the repository. "
+                f"Conflicting packages: {duplicates}"
+            )

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/app/pypi/views.py

@@ -59,7 +59,7 @@ log = logging.getLogger(__name__)
 
 ORIGIN_HOST = settings.CONTENT_ORIGIN if settings.CONTENT_ORIGIN else settings.PYPI_API_HOSTNAME
 BASE_CONTENT_URL = urljoin(ORIGIN_HOST, settings.CONTENT_PATH_PREFIX)
-BASE_API_URL = urljoin(settings.PYPI_API_HOSTNAME, "pypi/")
+BASE_API_URL = urljoin(settings.PYPI_API_HOSTNAME, settings.PYPI_PATH_PREFIX)
 
 PYPI_SIMPLE_V1_HTML = "application/vnd.pypi.simple.v1+html"
 PYPI_SIMPLE_V1_JSON = "application/vnd.pypi.simple.v1+json"
@@ -303,7 +303,12 @@ class SimpleView(PackageUploadMixin, ViewSet):
         repo_version, content = self.get_rvc()
         if self.should_redirect(repo_version=repo_version):
             return redirect(urljoin(self.base_content_url, f"{path}/simple/"))
-        names = content.order_by("name").values_list("name", flat=True).distinct().iterator()
+        names = (
+            content.order_by("name_normalized")
+            .values_list("name", flat=True)
+            .distinct("name_normalized")
+            .iterator()
+        )
         media_type = request.accepted_renderer.media_type
         headers = {"X-PyPI-Last-Serial": str(PYPI_SERIAL_CONSTANT)}
 
@@ -360,8 +365,8 @@ class SimpleView(PackageUploadMixin, ViewSet):
             releases = self.pull_through_package_simple(normalized, path, self.distribution.remote)
         elif self.should_redirect(repo_version=repo_ver):
             return redirect(urljoin(self.base_content_url, f"{path}/simple/{normalized}/"))
-        if content:
-            local_packages = content.filter(name__normalize=normalized)
+        if content is not None:
+            local_packages = content.filter(name_normalized=normalized)
             packages = local_packages.values(
                 "filename",
                 "sha256",
@@ -454,7 +459,7 @@ class MetadataView(PyPIMixin, ViewSet):
             name = meta_path.parts[0]
         if name:
             normalized = canonicalize_name(name)
-            package_content = content.filter(name__normalize=normalized)
+            package_content = content.filter(name_normalized=normalized)
             # TODO Change this value to the Repo's serial value when implemented
             headers = {PYPI_LAST_SERIAL: str(PYPI_SERIAL_CONSTANT)}
             if settings.DOMAIN_ENABLED:
@@ -541,7 +546,7 @@ class ProvenanceView(PyPIMixin, ViewSet):
         repo_ver, content = self.get_rvc()
         if content:
             package_content = content.filter(
-                name__normalize=package, version=version, filename=filename
+                name_normalized=package, version=version, filename=filename
             ).first()
             if package_content:
                 provenance = self.get_provenances(repo_ver).filter(package=package_content).first()

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/app/serializers.py

@@ -9,6 +9,7 @@ from packaging.requirements import Requirement
 from rest_framework import serializers
 from pypi_attestations import AttestationError
 from pydantic import TypeAdapter, ValidationError
+from urllib.parse import urljoin
 
 from pulpcore.plugin import models as core_models
 from pulpcore.plugin import serializers as core_serializers
@@ -30,8 +31,8 @@ from pulp_python.app.utils import (
     parse_project_metadata,
 )
 
-
 log = logging.getLogger(__name__)
+PYPI_BASE_URL = urljoin(settings.PYPI_API_HOSTNAME, settings.PYPI_PATH_PREFIX)
 
 
 @extend_schema_serializer(
@@ -52,9 +53,23 @@ class PythonRepositorySerializer(core_serializers.RepositorySerializer):
         default=False,
         required=False,
     )
+    allow_package_substitution = serializers.BooleanField(
+        help_text=_(
+            "Whether to allow package substitution (replacing existing packages with packages "
+            "that have the same filename but a different checksum). When False, any new "
+            "repository version that would cause such a substitution will be rejected. This "
+            "applies to all repository version creation paths including uploads, modify, and "
+            "sync. When True (the default), package substitution is allowed."
+        ),
+        default=True,
+        required=False,
+    )
 
     class Meta:
-        fields = core_serializers.RepositorySerializer.Meta.fields + ("autopublish",)
+        fields = core_serializers.RepositorySerializer.Meta.fields + (
+            "autopublish",
+            "allow_package_substitution",
+        )
         model = python_models.PythonRepository
 
 
@@ -93,8 +108,8 @@ class PythonDistributionSerializer(core_serializers.DistributionSerializer):
     def get_base_url(self, obj):
         """Gets the base url."""
         if settings.DOMAIN_ENABLED:
-            return f"{settings.PYPI_API_HOSTNAME}/pypi/{get_domain().name}/{obj.base_path}/"
-        return f"{settings.PYPI_API_HOSTNAME}/pypi/{obj.base_path}/"
+            return urljoin(PYPI_BASE_URL, f"{get_domain().name}/{obj.base_path}/")
+        return urljoin(PYPI_BASE_URL, f"{obj.base_path}/")
 
     class Meta:
         fields = core_serializers.DistributionSerializer.Meta.fields + (
@@ -447,7 +462,7 @@ class PythonPackageContentSerializer(core_serializers.SingleArtifactContentUploa
         content = super().create(validated_data)
         if provenance:
             prov_sha256 = python_models.PackageProvenance.calculate_sha256(provenance)
-            prov_model, _ = python_models.PackageProvenance.objects.get_or_create(
+            prov_model, _created = python_models.PackageProvenance.objects.get_or_create(
                 sha256=prov_sha256,
                 _pulp_domain=get_domain(),
                 defaults={"package": content, "provenance": provenance},

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/app/settings.py

@@ -2,6 +2,7 @@ import socket
 
 PYTHON_GROUP_UPLOADS = False
 PYPI_API_HOSTNAME = "https://" + socket.getfqdn()
+PYPI_PATH_PREFIX = "/pypi/"
 
 DRF_ACCESS_POLICY = {
     "dynaconf_merge_unique": True,

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/app/tasks/publish.py

@@ -12,7 +12,6 @@ from pulp_python.app import models as python_models
 from pulp_python.app.serializers import PythonPublicationSerializer
 from pulp_python.app.utils import write_simple_index, write_simple_detail
 
-
 log = logging.getLogger(__name__)
 
 
@@ -61,9 +60,9 @@ def write_simple_api(publication):
         python_models.PythonPackageContent.objects.filter(
             pk__in=publication.repository_version.content, _pulp_domain=domain
         )
-        .order_by("name__normalize")
+        .order_by("name_normalized")
         .values_list("name", flat=True)
-        .distinct("name__normalize")
+        .distinct("name_normalized")
     )
 
     # write the root index, which lists all of the projects for which there is a package available
@@ -82,7 +81,7 @@ def write_simple_api(publication):
     packages = python_models.PythonPackageContent.objects.filter(
         pk__in=publication.repository_version.content, _pulp_domain=domain
     )
-    releases = packages.order_by("name__normalize").values("name", "filename", "sha256")
+    releases = packages.order_by("name_normalized").values("name", "filename", "sha256")
 
     ind = 0
     current_name = canonicalize_name(project_names[ind])

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/app/urls.py

@@ -10,9 +10,10 @@ from pulp_python.app.pypi.views import (
 )
 
 if settings.DOMAIN_ENABLED:
-    PYPI_API_URL = "pypi/<slug:pulp_domain>/<path:path>/"
+    PYPI_API_URL = "/<slug:pulp_domain>/<path:path>/"
 else:
-    PYPI_API_URL = "pypi/<path:path>/"
+    PYPI_API_URL = "/<path:path>/"
+PYPI_API_URL = settings.PYPI_PATH_PREFIX.strip("/") + PYPI_API_URL
 # TODO: Implement remaining PyPI endpoints
 # path("project/", PackageProject.as_view()), # Endpoints to nicely see contents of index
 # path("search/", PackageSearch.as_view()),

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/app/utils.py

@@ -20,7 +20,6 @@ from pulpcore.plugin.models import Artifact, Remote
 from pulpcore.plugin.exceptions import TimeoutException
 from pulpcore.plugin.util import get_domain
 
-
 log = logging.getLogger(__name__)
 
 

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/app/viewsets.py

@@ -1,19 +1,25 @@
 from bandersnatch.configuration import BandersnatchConfig
 from django.db import transaction
+from django_filters import CharFilter
+from django_filters.rest_framework import filters as drf_filters
 from drf_spectacular.utils import extend_schema, extend_schema_view
+from packaging.utils import canonicalize_name
 from pathlib import Path
 from rest_framework import status
 from rest_framework.decorators import action
 from rest_framework.response import Response
+from rest_framework.serializers import ValidationError
 
 from pulpcore.plugin import viewsets as core_viewsets
 from pulpcore.plugin.actions import ModifyRepositoryActionMixin
 from pulpcore.plugin.models import RepositoryVersion
 from pulpcore.plugin.serializers import (
     AsyncOperationResponseSerializer,
+    RepositoryAddRemoveContentSerializer,
     RepositorySyncURLSerializer,
 )
 from pulpcore.plugin.tasking import check_content, dispatch
+from pulpcore.plugin.util import extract_pk
 
 from pulp_python.app import models as python_models
 from pulp_python.app import serializers as python_serializers
@@ -124,6 +130,43 @@ class PythonRepositoryViewSet(
         "python.pythonrepository_viewer": ["python.view_pythonrepository"],
     }
 
+    @extend_schema(
+        description="Trigger an asynchronous task to create a new repository version.",
+        summary="Modify Repository Content",
+        responses={202: AsyncOperationResponseSerializer},
+    )
+    @action(detail=True, methods=["post"], serializer_class=RepositoryAddRemoveContentSerializer)
+    def modify(self, request, pk):
+        """
+        Queues a task that creates a new RepositoryVersion by adding and removing content units.
+
+        If allow_package_substitution is False and the request is **only** adding packages, then a
+        package substitution check is performed to provide a quicker error response. Otherwise, the
+        check is delegated to the task.
+        """
+        repository = self.get_object()
+        if not repository.allow_package_substitution:
+            remove_content_units = request.data.get("remove_content_units", [])
+            if remove_content_units or "base_version" in request.data:
+                return super().modify(request, pk)
+            rvc = repository.latest_version().content
+            add_content_units = request.data.get("add_content_units", [])
+            content_ids = [extract_pk(x) for x in add_content_units]
+            packages = (
+                python_models.PythonPackageContent.objects.filter(pk__in=content_ids)
+                .exclude(pk__in=rvc)
+                .values("filename")
+            )
+            conflicting_packages = python_models.PythonPackageContent.objects.filter(
+                filename__in=packages, pk__in=rvc
+            )
+            if conflicting_packages.exists():
+                raise ValidationError(
+                    "Found duplicate packages being added with the same filename but different checksums. "  # noqa: E501
+                    f"Existing conflicting packages: {conflicting_packages.values('filename', 'sha256', 'pk')}"  # noqa: E501
+                )
+        return super().modify(request, pk)
+
     @extend_schema(
         summary="Repair metadata",
         responses={202: AsyncOperationResponseSerializer},
@@ -329,15 +372,34 @@ class PythonDistributionViewSet(core_viewsets.DistributionViewSet, core_viewsets
     }
 
 
+class NormalizedNameFilter(CharFilter):
+    """Filter that normalizes the input and queries name_normalized."""
+
+    def filter(self, qs, value):
+        if value:
+            if isinstance(value, list):
+                value = [canonicalize_name(v) for v in value]
+            else:
+                value = canonicalize_name(value)
+        return super().filter(qs, value)
+
+
+class NormalizedNameInFilter(drf_filters.BaseInFilter, NormalizedNameFilter):
+    """In-filter that normalizes each input value and queries name_normalized."""
+
+
 class PythonPackageContentFilter(core_viewsets.ContentFilter):
     """
     FilterSet for PythonPackageContent.
     """
 
+    name = NormalizedNameFilter(field_name="name_normalized", lookup_expr="exact")
+    name__in = NormalizedNameInFilter(field_name="name_normalized", lookup_expr="in")
+    name__contains = CharFilter(field_name="name", lookup_expr="contains")
+
     class Meta:
         model = python_models.PythonPackageContent
         fields = {
-            "name": ["exact", "in", "contains"],
             "author": ["exact", "in", "contains"],
             "packagetype": ["exact", "in"],
             "requires_python": ["exact", "in", "contains"],

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/pytest_plugin.py

@@ -13,7 +13,6 @@ from pulp_python.tests.functional.constants import (
     PYTHON_WHEEL_FILENAME,
 )
 
-
 # Bindings API Fixtures
 
 

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/tests/functional/api/test_crud_content_unit.py

@@ -144,44 +144,41 @@ def test_content_create_new_metadata(
         assert getattr(content, k) == v
 
 
+def get_package_url(package, filename):
+    with PyPISimple() as client:
+        page = client.get_project_page(package)
+        for package in page.packages:
+            if package.filename == filename:
+                return package.url
+        raise ValueError(f"Package {filename} not found")
+
+
 @pytest.mark.parallel
 def test_upload_metadata_23_spec(python_content_factory):
     """Test that packages using metadata spec 2.3 can be uploaded to pulp."""
     filename = "urllib3-2.2.2-py3-none-any.whl"
-    with PyPISimple() as client:
-        page = client.get_project_page("urllib3")
-        for package in page.packages:
-            if package.filename == filename:
-                content = python_content_factory(filename, url=package.url)
-                assert content.metadata_version == "2.3"
-                break
+    url = get_package_url("urllib3", filename)
+    content = python_content_factory(filename, url=url)
+    assert content.metadata_version == "2.3"
 
 
 @pytest.mark.parallel
 def test_upload_requires_python(python_content_factory):
     filename = "pip-24.3.1-py3-none-any.whl"
-    with PyPISimple() as client:
-        page = client.get_project_page("pip")
-        for package in page.packages:
-            if package.filename == filename:
-                content = python_content_factory(filename, url=package.url)
-                assert content.requires_python == ">=3.8"
-                break
+    url = get_package_url("pip", filename)
+    content = python_content_factory(filename, url=url)
+    assert content.requires_python == ">=3.8"
 
 
 @pytest.mark.parallel
 def test_upload_metadata_24_spec(python_content_factory):
     """Test that packages using metadata spec 2.4 can be uploaded to pulp."""
     filename = "setuptools-80.9.0.tar.gz"
-    with PyPISimple() as client:
-        page = client.get_project_page("setuptools")
-        for package in page.packages:
-            if package.filename == filename:
-                content = python_content_factory(filename, url=package.url)
-                assert content.metadata_version == "2.4"
-                assert content.license_expression == "MIT"
-                assert content.license_file == '["LICENSE"]'
-                break
+    url = get_package_url("setuptools", filename)
+    content = python_content_factory(filename, url=url)
+    assert content.metadata_version == "2.4"
+    assert content.license_expression == "MIT"
+    assert content.license_file == '["LICENSE"]'
 
 
 @pytest.mark.parallel
@@ -203,3 +200,108 @@ def test_package_creation_with_metadata(
     ensure_metadata(
         pulp_content_url, distro.base_path, PYTHON_WHEEL_FILENAME, "shelf-reader", "0.1"
     )
+
+
+@pytest.mark.parallel
+def test_disallow_package_substitution(
+    monitor_task,
+    python_bindings,
+    python_repo_factory,
+):
+    """
+    When allow_package_substitution=False, any new repository version that would substitute
+    existing content (same filename, different sha256) is rejected. This applies to both
+    content uploads and repository modify operations. Re-adding content with a matching
+    sha256 succeeds idempotently.
+    """
+    repo = python_repo_factory(allow_package_substitution=False)
+    msg1 = "Found duplicate packages being added with the same filename but different checksums."
+    msg2 = "To allow this, set 'allow_package_substitution' to True on the repository."
+
+    # First upload succeeds
+    content_body = {"relative_path": PYTHON_EGG_FILENAME, "file_url": PYTHON_EGG_URL}
+    response = python_bindings.ContentPackagesApi.create(repository=repo.pulp_href, **content_body)
+    task = monitor_task(response.task)
+    content = python_bindings.ContentPackagesApi.read(task.created_resources[-1])
+    assert content.filename == PYTHON_EGG_FILENAME
+
+    # Re-upload same artifact with same filename — should succeed (idempotent)
+    response = python_bindings.ContentPackagesApi.create(repository=repo.pulp_href, **content_body)
+    task = monitor_task(response.task)
+    assert content.pulp_href in task.created_resources
+    repo = python_bindings.RepositoriesPythonApi.read(repo.pulp_href)
+    assert repo.latest_version_href.endswith("/1/")
+
+    # Upload a different artifact with the same filename — should be rejected
+    second_filename = "pip-26.0.1.tar.gz"
+    second_url = get_package_url("pip", second_filename)
+    content_body2 = {"relative_path": PYTHON_EGG_FILENAME, "file_url": second_url}
+    with pytest.raises(PulpTaskError) as exc:
+        response = python_bindings.ContentPackagesApi.create(
+            repository=repo.pulp_href, **content_body2
+        )
+        monitor_task(response.task)
+    assert msg1 in exc.value.task.error["description"]
+    assert msg2 in exc.value.task.error["description"]
+
+    # Also create the conflicting content without a repo, then try to add via modify
+    response = python_bindings.ContentPackagesApi.create(**content_body2)
+    task = monitor_task(response.task)
+    content2 = python_bindings.ContentPackagesApi.read(task.created_resources[0])
+    # When body only contains add_content_units, the request will be rejected
+    body = {"add_content_units": [content2.pulp_href]}
+    with pytest.raises(python_bindings.ApiException) as exc:
+        python_bindings.RepositoriesPythonApi.modify(repo.pulp_href, body)
+    assert msg1 in exc.value.body
+    # Else when body contains other fields, the check will be delegated to the task
+    body = {"add_content_units": [content2.pulp_href], "base_version": repo.latest_version_href}
+    with pytest.raises(PulpTaskError) as exc:
+        monitor_task(python_bindings.RepositoriesPythonApi.modify(repo.pulp_href, body).task)
+    assert msg1 in exc.value.task.error["description"]
+    assert msg2 in exc.value.task.error["description"]
+
+    # Verify the repository still has only the original content
+    repo = python_bindings.RepositoriesPythonApi.read(repo.pulp_href)
+    assert repo.latest_version_href.endswith("/1/")
+    # Check that you can remove the conflicting content and add the new content
+    body = {"remove_content_units": [content.pulp_href], "add_content_units": [content2.pulp_href]}
+    response = python_bindings.RepositoriesPythonApi.modify(repo.pulp_href, body)
+    task = monitor_task(response.task)
+    repo = python_bindings.RepositoriesPythonApi.read(repo.pulp_href)
+    assert repo.latest_version_href.endswith("/2/")
+
+
+@pytest.mark.parallel
+def test_package_substitution_allowed_by_default(
+    monitor_task,
+    python_bindings,
+    python_repo_factory,
+):
+    """
+    By default (allow_package_substitution=True), uploading a file with the same filename
+    but different sha256 replaces the existing content in the repository.
+    """
+    repo = python_repo_factory()
+    assert repo.allow_package_substitution is True
+
+    content_body = {"relative_path": PYTHON_EGG_FILENAME, "file_url": PYTHON_EGG_URL}
+    response = python_bindings.ContentPackagesApi.create(repository=repo.pulp_href, **content_body)
+    task = monitor_task(response.task)
+    content1 = python_bindings.ContentPackagesApi.read(task.created_resources[-1])
+
+    # Upload a different artifact with the same filename — should succeed and replace
+    second_filename = "pip-26.0.tar.gz"
+    second_url = get_package_url("pip", second_filename)
+    content_body = {"relative_path": PYTHON_EGG_FILENAME, "file_url": second_url}
+    response = python_bindings.ContentPackagesApi.create(repository=repo.pulp_href, **content_body)
+    task = monitor_task(response.task)
+    content2 = python_bindings.ContentPackagesApi.read(task.created_resources[-1])
+    assert content2.pulp_href != content1.pulp_href
+
+    # Verify the repo has only the new content
+    repo = python_bindings.RepositoriesPythonApi.read(repo.pulp_href)
+    content_list = python_bindings.ContentPackagesApi.list(
+        repository_version=repo.latest_version_href
+    )
+    assert content_list.count == 1
+    assert content_list.results[0].sha256 == content2.sha256

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/tests/functional/api/test_domains.py

@@ -12,7 +12,6 @@ from pulp_python.tests.functional.constants import (
 )
 from urllib.parse import urlsplit
 
-
 pytestmark = pytest.mark.skipif(not settings.DOMAIN_ENABLED, reason="Domain not enabled")
 
 

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/tests/functional/api/test_export_import.py

@@ -14,7 +14,6 @@ from pulp_python.tests.functional.constants import (
     PYTHON_SM_PROJECT_SPECIFIER,
 )
 
-
 pytestmark = [
     pytest.mark.skipif(
         "/tmp" not in settings.ALLOWED_EXPORT_PATHS,

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/tests/functional/api/test_pypi_apis.py

@@ -16,7 +16,6 @@ from pulp_python.tests.functional.constants import (
 )
 from pulp_python.tests.functional.utils import ensure_metadata
 
-
 PYPI_LAST_SERIAL = "X-PYPI-LAST-SERIAL"
 
 

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python/tests/functional/constants.py

@@ -1,7 +1,6 @@
 import os
 from urllib.parse import urljoin
 
-
 PULP_FIXTURES_BASE_URL = os.environ.get(
     "REMOTE_FIXTURES_ORIGIN", "https://fixtures.pulpproject.org/"
 )

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulp-python
-Version: 3.27.0
+Version: 3.28.0
 Summary: pulp-python plugin for the Pulp Project
 Author-email: Pulp Team <pulp-list@redhat.com>
 Project-URL: Homepage, https://pulpproject.org
@@ -20,7 +20,7 @@ Classifier: Programming Language :: Python :: 3.13
 Requires-Python: >=3.11
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: pulpcore<3.115,>=3.85.3
+Requires-Dist: pulpcore<3.115,>=3.105.0
 Requires-Dist: pkginfo<1.13.0,>=1.12.0
 Requires-Dist: bandersnatch<6.7,>=6.6.0
 Requires-Dist: pypi-simple<2.0,>=1.8.0

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python.egg-info/SOURCES.txt

@@ -50,6 +50,8 @@ pulp_python/app/migrations/0016_pythonpackagecontent_metadata_sha256.py
 pulp_python/app/migrations/0017_pythonpackagecontent_size.py
 pulp_python/app/migrations/0018_packageprovenance.py
 pulp_python/app/migrations/0019_create_missing_metadata_artifacts.py
+pulp_python/app/migrations/0020_pythonpackagecontent_name_normalized.py
+pulp_python/app/migrations/0021_pythonrepository_upload_duplicate_filenames.py
 pulp_python/app/migrations/__init__.py
 pulp_python/app/pypi/__init__.py
 pulp_python/app/pypi/serializers.py

{pulp_python-3.27.0 → pulp_python-3.28.0}/pulp_python.egg-info/requires.txt

@@ -1,4 +1,4 @@
-pulpcore<3.115,>=3.85.3
+pulpcore<3.115,>=3.105.0
 pkginfo<1.13.0,>=1.12.0
 bandersnatch<6.7,>=6.6.0
 pypi-simple<2.0,>=1.8.0

{pulp_python-3.27.0 → pulp_python-3.28.0}/pyproject.toml

@@ -7,7 +7,7 @@ build-backend = 'setuptools.build_meta'
 
 [project]
 name = "pulp-python"
-version = "3.27.0"
+version = "3.28.0"
 description = "pulp-python plugin for the Pulp Project"
 readme = "README.md"
 authors = [
@@ -26,7 +26,7 @@ classifiers=[
 ]
 requires-python = ">=3.11"
 dependencies = [
-  "pulpcore>=3.85.3,<3.115",
+  "pulpcore>=3.105.0,<3.115",
   "pkginfo>=1.12.0,<1.13.0",
   "bandersnatch>=6.6.0,<6.7",
   "pypi-simple>=1.8.0,<2.0",
@@ -79,7 +79,7 @@ ignore = [
 [tool.bumpversion]
 # This section is managed by the plugin template. Do not edit manually.
 
-current_version = "3.27.0"
+current_version = "3.28.0"
 commit = false
 tag = false
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<alpha>0a)?(?P<patch>\\d+)(\\.(?P<release>[a-z]+))?"