pulp-python 3.28.1__tar.gz → 3.29.0__tar.gz

{pulp_python-3.28.1 → pulp_python-3.29.0}/CHANGES.md

@@ -8,6 +8,30 @@
 
 [//]: # (towncrier release notes start)
 
+## 3.29.0 (2026-04-17) {: #3.29.0 }
+
+#### Features {: #3.29.0-feature }
+
+- Added repository-specific package blocklist.
+  [#1166](https://github.com/pulp/pulp_python/issues/1166)
+
+#### Bugfixes {: #3.29.0-bugfix }
+
+- Fixed "Worker has gone missing" errors during repair_metadata on large repositories (1000+ packages) by reducing peak memory consumption.
+  [#1188](https://github.com/pulp/pulp_python/issues/1188)
+- Support "atomic" replications in pulpcore 3.107
+
+---
+
+## 3.28.2 (2026-04-14) {: #3.28.2 }
+
+#### Bugfixes {: #3.28.2-bugfix }
+
+- Fixed "Worker has gone missing" errors during repair_metadata on large repositories (1000+ packages) by reducing peak memory consumption.
+  [#1188](https://github.com/pulp/pulp_python/issues/1188)
+
+---
+
 ## 3.28.1 (2026-04-01) {: #3.28.1 }
 
 #### Bugfixes {: #3.28.1-bugfix }
@@ -33,6 +57,23 @@
 
 ---
 
+## 3.27.2 (2026-04-14) {: #3.27.2 }
+
+#### Bugfixes {: #3.27.2-bugfix }
+
+- Fixed "Worker has gone missing" errors during repair_metadata on large repositories (1000+ packages) by reducing peak memory consumption.
+  [#1188](https://github.com/pulp/pulp_python/issues/1188)
+
+---
+
+## 3.27.1 (2026-04-01) {: #3.27.1 }
+
+#### Bugfixes {: #3.27.1-bugfix }
+
+- Support "atomic" replications in pulpcore 3.107
+
+---
+
 ## 3.27.0 (2026-03-17) {: #3.27.0 }
 
 #### Bugfixes {: #3.27.0-bugfix }
@@ -340,6 +381,14 @@
 
 ---
 
+## 3.13.6 (2026-04-01) {: #3.13.6 }
+
+#### Bugfixes {: #3.13.6-bugfix }
+
+- Support "atomic" replications in pulpcore 3.107
+
+---
+
 ## 3.13.5 (2025-04-23) {: #3.13.5 }
 
 No significant changes.
@@ -406,6 +455,14 @@ No significant changes.
 
 ---
 
+## 3.12.9 (2026-04-01) {: #3.12.9 }
+
+#### Bugfixes {: #3.12.9-bugfix }
+
+- Support "atomic" replications in pulpcore 3.107
+
+---
+
 ## 3.12.8 (2025-11-18) {: #3.12.8 }
 
 No significant changes.

{pulp_python-3.28.1 → pulp_python-3.29.0}/MANIFEST.in

@@ -11,3 +11,5 @@ include unittest_requirements.txt
 include pulp_python/app/webserver_snippets/*
 include pulp_python/tests/functional/assets/*
 exclude releasing.md
+
+exclude .gitleaks.toml

{pulp_python-3.28.1 → pulp_python-3.29.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulp-python
-Version: 3.28.1
+Version: 3.29.0
 Summary: pulp-python plugin for the Pulp Project
 Author-email: Pulp Team <pulp-list@redhat.com>
 Project-URL: Homepage, https://pulpproject.org

{pulp_python-3.28.1 → pulp_python-3.29.0}/pulp_python/app/__init__.py

@@ -10,7 +10,7 @@ class PulpPythonPluginAppConfig(PulpPluginAppConfig):
 
     name = "pulp_python.app"
     label = "python"
-    version = "3.28.1"
+    version = "3.29.0"
     python_package_name = "pulp-python"
     domain_compatible = True
 

pulp_python-3.29.0/pulp_python/app/migrations/0022_pythonblocklistentry.py

@@ -0,0 +1,48 @@
+# Generated by Django 5.2.10 on 2026-04-16 14:00
+
+import django.db.models.deletion
+import django_lifecycle.mixins
+import pulpcore.app.models.base
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("python", "0021_pythonrepository_upload_duplicate_filenames"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="PythonBlocklistEntry",
+            fields=[
+                (
+                    "pulp_id",
+                    models.UUIDField(
+                        default=pulpcore.app.models.base.pulp_uuid,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("pulp_created", models.DateTimeField(auto_now_add=True)),
+                ("pulp_last_updated", models.DateTimeField(auto_now=True, null=True)),
+                ("name", models.TextField(default=None, null=True)),
+                ("version", models.TextField(default=None, null=True)),
+                ("filename", models.TextField(default=None, null=True)),
+                ("added_by", models.TextField(default="")),
+                (
+                    "repository",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="blocklist_entries",
+                        to="python.pythonrepository",
+                    ),
+                ),
+            ],
+            options={
+                "default_related_name": "%(app_label)s_%(model_name)s",
+            },
+            bases=(django_lifecycle.mixins.LifecycleModelMixin, models.Model),
+        ),
+    ]

{pulp_python-3.28.1 → pulp_python-3.29.0}/pulp_python/app/models.py

@@ -14,6 +14,7 @@ from django_lifecycle import (
 from rest_framework.serializers import ValidationError
 from pulpcore.plugin.models import (
     AutoAddObjPermsMixin,
+    BaseModel,
     Content,
     Publication,
     Distribution,
@@ -399,9 +400,12 @@ class PythonRepository(Repository, AutoAddObjPermsMixin):
 
         When allow_package_substitution is False, reject any new version that would implicitly
         replace existing content with different checksums (content substitution).
+
+        Also checks newly added content against the repository's blocklist entries.
         """
         if not self.allow_package_substitution:
             self._check_for_package_substitution(new_version)
+        self._check_blocklist(new_version)
         remove_duplicates(new_version)
         validate_repo_version(new_version)
 
@@ -418,3 +422,63 @@ class PythonRepository(Repository, AutoAddObjPermsMixin):
                 "To allow this, set 'allow_package_substitution' to True on the repository. "
                 f"Conflicting packages: {duplicates}"
             )
+
+    def _check_blocklist(self, new_version):
+        """
+        Check newly added content in a repository version against the blocklist.
+        """
+        added_content = PythonPackageContent.objects.filter(
+            pk__in=new_version.added().values_list("pk", flat=True)
+        ).only("filename", "name_normalized", "version")
+        if added_content.exists():
+            self.check_blocklist_for_packages(added_content)
+
+    def check_blocklist_for_packages(self, packages):
+        """
+        Raise a ValidationError if any of the given packages match a blocklist entry.
+        """
+        entries = PythonBlocklistEntry.objects.filter(repository=self)
+        if not entries.exists():
+            return
+
+        blocked = []
+        for pkg in packages:
+            for entry in entries:
+                if entry.filename and entry.filename == pkg.filename:
+                    blocked.append(pkg.filename)
+                    break
+                if entry.name == pkg.name_normalized:
+                    if not entry.version or entry.version == pkg.version:
+                        blocked.append(pkg.filename)
+                        break
+        if blocked:
+            raise ValidationError(
+                "Blocklisted packages cannot be added to this repository: "
+                "{}".format(", ".join(blocked))
+            )
+
+
+class PythonBlocklistEntry(BaseModel):
+    """
+    An entry in a PythonRepository's package blocklist.
+
+    Blocklist entries prevent packages from being added to the repository.
+    Entries can match by package `name` (all versions), package `name` + `version`,
+    or exact `filename`. Exactly one of `name` or `filename` must be provided.
+    """
+
+    name = models.TextField(null=True, default=None)
+    version = models.TextField(null=True, default=None)
+    filename = models.TextField(null=True, default=None)
+    added_by = models.TextField(default="")
+    repository = models.ForeignKey(
+        PythonRepository, on_delete=models.CASCADE, related_name="blocklist_entries"
+    )
+
+    def __str__(self):
+        if self.filename:
+            return f"<{self._meta.object_name}: {self.filename}>"
+        return f"<{self._meta.object_name}: {self.name} [{self.version or 'all'}]>"
+
+    class Meta:
+        default_related_name = "%(app_label)s_%(model_name)s"

{pulp_python-3.28.1 → pulp_python-3.29.0}/pulp_python/app/serializers.py

@@ -6,6 +6,7 @@ from django.conf import settings
 from django.db.utils import IntegrityError
 from drf_spectacular.utils import extend_schema_serializer
 from packaging.requirements import Requirement
+from packaging.version import Version, InvalidVersion
 from rest_framework import serializers
 from pypi_attestations import AttestationError
 from pydantic import TypeAdapter, ValidationError
@@ -13,9 +14,10 @@ from urllib.parse import urljoin
 
 from pulpcore.plugin import models as core_models
 from pulpcore.plugin import serializers as core_serializers
-from pulpcore.plugin.util import get_domain, get_prn, get_current_authenticated_user
+from pulpcore.plugin.util import get_domain, get_prn, get_current_authenticated_user, reverse
 
 from pulp_python.app import models as python_models
+from pulp_python.app.utils import canonicalize_name
 from pulp_python.app.provenance import (
     Attestation,
     Provenance,
@@ -53,6 +55,11 @@ class PythonRepositorySerializer(core_serializers.RepositorySerializer):
         default=False,
         required=False,
     )
+    blocklist_entries_href = serializers.SerializerMethodField(
+        help_text=_("URL to the blocklist entries for this repository."),
+        read_only=True,
+    )
+
     allow_package_substitution = serializers.BooleanField(
         help_text=_(
             "Whether to allow package substitution (replacing existing packages with packages "
@@ -65,10 +72,15 @@ class PythonRepositorySerializer(core_serializers.RepositorySerializer):
         required=False,
     )
 
+    def get_blocklist_entries_href(self, obj):
+        repo_href = reverse("repositories-python/python-detail", kwargs={"pk": obj.pk})
+        return f"{repo_href}blocklist_entries/"
+
     class Meta:
         fields = core_serializers.RepositorySerializer.Meta.fields + (
             "autopublish",
             "allow_package_substitution",
+            "blocklist_entries_href",
         )
         model = python_models.PythonRepository
 
@@ -780,6 +792,115 @@ class PythonRemoteSerializer(core_serializers.RemoteSerializer):
         model = python_models.PythonRemote
 
 
+class PythonBlocklistEntrySerializer(core_serializers.ModelSerializer):
+    """
+    Serializer for PythonBlocklistEntry.
+
+    The `repository` is supplied by the URL (not the request body) and is injected
+    by the viewset before saving.
+    """
+
+    pulp_href = serializers.SerializerMethodField(
+        read_only=True,
+        help_text=_("The URL of this blocklist entry."),
+    )
+    repository = core_serializers.DetailRelatedField(
+        read_only=True,
+        view_name_pattern=r"repositories(-.*/.*)?-detail",
+        help_text=_("Repository this blocklist entry belongs to."),
+    )
+    name = serializers.CharField(
+        required=False,
+        allow_null=True,
+        default=None,
+        help_text=_(
+            "Package name to block (for all versions). Compared after PEP 503 normalization. "
+            "Required when 'filename' is not provided."
+        ),
+    )
+    version = serializers.CharField(
+        required=False,
+        allow_null=True,
+        default=None,
+        help_text=_("Exact version string to block (e.g. '1.0'). Only used when 'name' is set."),
+    )
+    filename = serializers.CharField(
+        required=False,
+        allow_null=True,
+        default=None,
+        help_text=_("Exact filename to block. Required when 'name' is not provided."),
+    )
+    added_by = serializers.CharField(
+        read_only=True,
+        help_text=_("PRN of the user who added this blocklist entry."),
+    )
+
+    def get_pulp_href(self, obj):
+        repo_href = reverse("repositories-python/python-detail", kwargs={"pk": obj.repository_id})
+        return f"{repo_href}blocklist_entries/{obj.pk}/"
+
+    def validate(self, data):
+        """
+        Validate that the blocklist entry is well-formed and not a duplicate.
+        """
+        name = data.get("name")
+        filename = data.get("filename")
+        version = data.get("version")
+
+        if version and filename:
+            raise serializers.ValidationError(_("'version' cannot be used with 'filename'."))
+        if version and not name:
+            raise serializers.ValidationError(_("'version' requires 'name' to be provided."))
+        if bool(name) == bool(filename):
+            raise serializers.ValidationError(
+                _("Exactly one of 'name' or 'filename' must be provided.")
+            )
+
+        if version:
+            try:
+                Version(version)
+            except InvalidVersion:
+                raise serializers.ValidationError(
+                    {"version": _("'{}' is not a valid version.").format(version)}
+                )
+        if name:
+            data["name"] = canonicalize_name(name)
+            name = data["name"]
+
+        repository = self.context.get("repository")
+        if repository:
+            qs = python_models.PythonBlocklistEntry.objects.filter(repository=repository)
+            if name and qs.filter(name=name, version=version).exists():
+                raise serializers.ValidationError(
+                    _("A blocklist entry with this name and version already exists.")
+                )
+            if filename and qs.filter(filename=filename).exists():
+                raise serializers.ValidationError(
+                    _("A blocklist entry with this filename already exists.")
+                )
+            data["repository"] = repository
+
+        return data
+
+    def create(self, validated_data):
+        """
+        Create a new blocklist entry, recording the authenticated user in `added_by`.
+        """
+        user = get_current_authenticated_user()
+        validated_data["added_by"] = get_prn(user) if user else ""
+        return super().create(validated_data)
+
+    class Meta:
+        fields = core_serializers.ModelSerializer.Meta.fields + (
+            "repository",
+            "name",
+            "version",
+            "filename",
+            "added_by",
+        )
+        model = python_models.PythonBlocklistEntry
+
+
 class PythonBanderRemoteSerializer(serializers.Serializer):
     """
     A Serializer for the initial step of creating a Python Remote from a Bandersnatch config file

{pulp_python-3.28.1 → pulp_python-3.29.0}/pulp_python/app/tasks/repair.py

@@ -1,4 +1,5 @@
 import logging
+import os
 from collections import defaultdict
 from gettext import gettext as _
 from itertools import groupby
@@ -8,18 +9,20 @@ from django.db.models import Prefetch
 from django.db.models.query import QuerySet
 from pulp_python.app.models import PythonPackageContent, PythonRepository
 from pulp_python.app.utils import (
-    artifact_to_metadata_artifact,
     artifact_to_python_content_data,
+    copy_artifact_to_temp_file,
+    extract_wheel_metadata,
     fetch_json_release_metadata,
+    metadata_content_to_artifact,
     parse_metadata,
 )
-from pulpcore.plugin.models import Artifact, ContentArtifact, ProgressReport
+from pulpcore.plugin.models import ContentArtifact, ProgressReport
 from pulpcore.plugin.util import get_domain
 
 log = logging.getLogger(__name__)
 
 
-BULK_SIZE = 1000
+BULK_SIZE = 250
 
 
 def repair(repository_pk: UUID) -> None:
@@ -118,11 +121,21 @@ def repair_metadata(content: QuerySet[PythonPackageContent]) -> tuple[int, set[s
                 .first()
                 .artifact
             )
-            new_data = artifact_to_python_content_data(package.filename, main_artifact, domain)
+            # Copy artifact to temp file once, extract both content data and metadata
+            temp_path = copy_artifact_to_temp_file(main_artifact, package.filename)
+            try:
+                new_data = artifact_to_python_content_data(
+                    package.filename, main_artifact, domain, temp_path=temp_path
+                )
+                metadata_content = (
+                    extract_wheel_metadata(temp_path) if package.filename.endswith(".whl") else None
+                )
+            finally:
+                os.unlink(temp_path)
             total_metadata_repaired += update_metadata_artifact_if_needed(
                 package,
                 new_data.get("metadata_sha256"),
-                main_artifact,
+                metadata_content,
                 metadata_batch,
                 pkgs_metadata_not_repaired,
             )
@@ -236,7 +249,7 @@ def update_package_if_needed(
 def update_metadata_artifact_if_needed(
     package: PythonPackageContent,
     new_metadata_sha256: str | None,
-    main_artifact: Artifact,
+    metadata_content: bytes | None,
     metadata_batch: list[tuple],
     pkgs_metadata_not_repaired: set[str],
 ) -> int:
@@ -248,7 +261,7 @@ def update_metadata_artifact_if_needed(
     Args:
         package: Package to check for metadata changes.
         new_metadata_sha256: The correct metadata_sha256 extracted from the main artifact, or None.
-        main_artifact: The main package artifact used to generate metadata.
+        metadata_content: Raw metadata bytes extracted from the wheel, or None.
         metadata_batch: List of tuples for batch processing (updated in-place).
         pkgs_metadata_not_repaired: Set of package PKs that failed repair (updated in-place).
 
@@ -265,13 +278,13 @@ def update_metadata_artifact_if_needed(
 
     # Create missing
     if not cas:
-        metadata_batch.append((package, main_artifact))
+        metadata_batch.append((package, metadata_content))
     # Fix existing
     elif new_metadata_sha256 != original_metadata_sha256:
         ca = cas.first()
         metadata_artifact = ca.artifact
         if metadata_artifact is None or (metadata_artifact.sha256 != new_metadata_sha256):
-            metadata_batch.append((package, main_artifact))
+            metadata_batch.append((package, metadata_content))
 
     if len(metadata_batch) == BULK_SIZE:
         not_repaired = _process_metadata_batch(metadata_batch)
@@ -288,7 +301,7 @@ def _process_metadata_batch(metadata_batch: list[tuple]) -> set[str]:
     and their corresponding ContentArtifacts.
 
     Args:
-        metadata_batch: List of (package, main_artifact) tuples.
+        metadata_batch: List of (package, metadata_content) tuples.
 
     Returns:
         Set of package PKs for which metadata artifacts could not be created.
@@ -296,8 +309,8 @@ def _process_metadata_batch(metadata_batch: list[tuple]) -> set[str]:
     not_repaired = set()
     content_artifacts = []
 
-    for package, main_artifact in metadata_batch:
-        metadata_artifact = artifact_to_metadata_artifact(package.filename, main_artifact)
+    for package, metadata_content in metadata_batch:
+        metadata_artifact = metadata_content_to_artifact(metadata_content)
         if metadata_artifact:
             ca = ContentArtifact(
                 artifact=metadata_artifact,

{pulp_python-3.28.1 → pulp_python-3.29.0}/pulp_python/app/utils.py

@@ -240,18 +240,37 @@ def compute_metadata_sha256(filename: str) -> str | None:
     return hashlib.sha256(metadata_content).hexdigest() if metadata_content else None
 
 
-def artifact_to_python_content_data(filename, artifact, domain=None):
+def copy_artifact_to_temp_file(artifact, filename, tmp_dir="."):
+    """
+    Copy an artifact's file to a temporary file on disk.
+
+    Returns the path to the temp file. The caller is responsible for cleanup.
+    """
+    temp_file = tempfile.NamedTemporaryFile("wb", dir=tmp_dir, suffix=filename, delete=False)
+    artifact.file.seek(0)
+    shutil.copyfileobj(artifact.file, temp_file)
+    temp_file.flush()
+    temp_file.close()
+    return temp_file.name
+
+
+def artifact_to_python_content_data(filename, artifact, domain=None, temp_path=None):
     """
     Takes the artifact/filename and returns the metadata needed to create a PythonPackageContent.
+
+    If temp_path is provided, uses it instead of copying the artifact to a new temp file.
     """
     # Copy file to a temp directory under the user provided filename, we do this
     # because pkginfo validates that the filename has a valid extension before
     # reading it
-    with tempfile.NamedTemporaryFile("wb", dir=".", suffix=filename) as temp_file:
-        artifact.file.seek(0)
-        shutil.copyfileobj(artifact.file, temp_file)
-        temp_file.flush()
-        metadata = get_project_metadata_from_file(temp_file.name)
+    if temp_path:
+        metadata = get_project_metadata_from_file(temp_path)
+    else:
+        with tempfile.NamedTemporaryFile("wb", dir=".", suffix=filename) as temp_file:
+            artifact.file.seek(0)
+            shutil.copyfileobj(artifact.file, temp_file)
+            temp_file.flush()
+            metadata = get_project_metadata_from_file(temp_file.name)
     data = parse_project_metadata(vars(metadata))
     data["sha256"] = artifact.sha256
     data["size"] = artifact.size
@@ -280,6 +299,16 @@ def artifact_to_metadata_artifact(
     if not metadata_content:
         return None
 
+    return metadata_content_to_artifact(metadata_content, tmp_dir)
+
+
+def metadata_content_to_artifact(metadata_content: bytes, tmp_dir: str = ".") -> Artifact | None:
+    """
+    Creates an Artifact from raw metadata content bytes.
+    """
+    if not metadata_content:
+        return None
+
     with tempfile.NamedTemporaryFile(
         "wb", dir=tmp_dir, suffix=".metadata", delete=False
     ) as temp_md:

{pulp_python-3.28.1 → pulp_python-3.29.0}/pulp_python/app/viewsets.py

@@ -7,6 +7,12 @@ from packaging.utils import canonicalize_name
 from pathlib import Path
 from rest_framework import status
 from rest_framework.decorators import action
+from rest_framework.mixins import (
+    CreateModelMixin,
+    DestroyModelMixin,
+    ListModelMixin,
+    RetrieveModelMixin,
+)
 from rest_framework.response import Response
 from rest_framework.serializers import ValidationError
 
@@ -143,15 +149,20 @@ class PythonRepositoryViewSet(
         If allow_package_substitution is False and the request is **only** adding packages, then a
         package substitution check is performed to provide a quicker error response. Otherwise, the
         check is delegated to the task.
+
+        Also performs an early blocklist check on added packages.
         """
         repository = self.get_object()
+        add_content_units = request.data.get("add_content_units", [])
+        content_ids = [extract_pk(x) for x in add_content_units]
+
+        self._early_blocklist_check(repository, content_ids)
+
         if not repository.allow_package_substitution:
             remove_content_units = request.data.get("remove_content_units", [])
             if remove_content_units or "base_version" in request.data:
                 return super().modify(request, pk)
             rvc = repository.latest_version().content
-            add_content_units = request.data.get("add_content_units", [])
-            content_ids = [extract_pk(x) for x in add_content_units]
             packages = (
                 python_models.PythonPackageContent.objects.filter(pk__in=content_ids)
                 .exclude(pk__in=rvc)
@@ -167,6 +178,17 @@ class PythonRepositoryViewSet(
                 )
         return super().modify(request, pk)
 
+    def _early_blocklist_check(self, repository, content_ids):
+        """
+        Raise early if any added packages match a blocklist entry.
+        """
+        if not content_ids:
+            return
+        packages = python_models.PythonPackageContent.objects.filter(pk__in=content_ids).only(
+            "filename", "name_normalized", "version"
+        )
+        repository.check_blocklist_for_packages(packages)
+
     @extend_schema(
         summary="Repair metadata",
         responses={202: AsyncOperationResponseSerializer},
@@ -216,6 +238,60 @@ class PythonRepositoryViewSet(
         return core_viewsets.OperationPostponedResponse(result, request)
 
 
+class PythonBlocklistEntryViewSet(
+    core_viewsets.NamedModelViewSet,
+    CreateModelMixin,
+    RetrieveModelMixin,
+    ListModelMixin,
+    DestroyModelMixin,
+):
+    """
+    ViewSet for managing blocklist entries on a PythonRepository.
+
+    Blocklist entries prevent packages from being added to the repository.
+    Entries can match by package `name` (all versions), package `name` + `version`,
+    or exact `filename`. Exactly one of `name` or `filename` must be provided.
+    """
+
+    endpoint_name = "blocklist_entries"
+    router_lookup = "pythonblocklistentry"
+    parent_viewset = PythonRepositoryViewSet
+    parent_lookup_kwargs = {"repository_pk": "repository__pk"}
+    serializer_class = python_serializers.PythonBlocklistEntrySerializer
+    queryset = python_models.PythonBlocklistEntry.objects.all()
+    ordering = ("-pulp_created",)
+
+    DEFAULT_ACCESS_POLICY = {
+        "statements": [
+            {
+                "action": ["list", "retrieve"],
+                "principal": "authenticated",
+                "effect": "allow",
+                "condition": "has_repository_model_or_domain_or_obj_perms:python.view_pythonrepository",  # noqa: E501
+            },
+            {
+                "action": ["create", "destroy"],
+                "principal": "authenticated",
+                "effect": "allow",
+                "condition": [
+                    "has_repository_model_or_domain_or_obj_perms:python.modify_pythonrepository",
+                    "has_repository_model_or_domain_or_obj_perms:python.view_pythonrepository",
+                ],
+            },
+        ],
+    }
+
+    def get_serializer_context(self):
+        """
+        Inject the parent repository into the serializer context so that `validate()` can check for
+        duplicate entries. The guard on `repository_pk` prevents errors during schema generation.
+        """
+        context = super().get_serializer_context()
+        if self.kwargs.get("repository_pk"):
+            context["repository"] = self.get_parent_object()
+        return context
+
+
 class PythonRepositoryVersionViewSet(core_viewsets.RepositoryVersionViewSet):
     """
     PythonRepositoryVersion represents a single Python repository version.

pulp_python-3.29.0/pulp_python/tests/functional/api/test_blocklist.py

@@ -0,0 +1,151 @@
+import pytest
+
+from pulpcore.tests.functional.utils import PulpTaskError
+from pulp_python.tests.functional.constants import PYTHON_EGG_FILENAME, PYTHON_EGG_URL
+
+CONTENT_BODY = {"relative_path": PYTHON_EGG_FILENAME, "file_url": PYTHON_EGG_URL}
+BLOCKED_MSG = "Blocklisted packages cannot be added to this repository"
+
+
+@pytest.mark.parallel
+def test_crd_entry(python_bindings, python_repo):
+    """
+    CRD operations on blocklist entries return correct fields and update the entry count.
+    """
+    entries_data = [
+        ({"name": "shelf-reader"}, "shelf-reader", None, None),
+        ({"name": "shelf-reader", "version": "0.1"}, "shelf-reader", "0.1", None),
+        ({"filename": PYTHON_EGG_FILENAME}, None, None, PYTHON_EGG_FILENAME),
+    ]
+    for body_kwargs, name, version, filename in entries_data:
+        entry = python_bindings.RepositoriesPythonBlocklistEntriesApi.create(
+            python_repo.pulp_href, python_bindings.PythonPythonBlocklistEntry(**body_kwargs)
+        )
+        assert entry.name == name
+        assert entry.version == version
+        assert entry.filename == filename
+        assert entry.added_by == "prn:auth.user:1"
+        assert entry.pulp_href is not None
+        assert entry.prn is not None
+
+    result = python_bindings.RepositoriesPythonBlocklistEntriesApi.list(python_repo.pulp_href)
+    assert result.count == 3
+
+    entry = result.results[0]
+    python_bindings.RepositoriesPythonBlocklistEntriesApi.read(entry.pulp_href)
+
+    python_bindings.RepositoriesPythonBlocklistEntriesApi.delete(entry.pulp_href)
+    result = python_bindings.RepositoriesPythonBlocklistEntriesApi.list(python_repo.pulp_href)
+    assert result.count == 2
+
+
+@pytest.mark.parallel
+@pytest.mark.parametrize(
+    "body_kwargs, expected_msg",
+    [
+        ({"name": "shelf-reader"}, "this name and version already exists"),
+        ({"name": "shelf-reader", "version": "0.1"}, "this name and version already exists"),
+        ({"filename": PYTHON_EGG_FILENAME}, "this filename already exists"),
+    ],
+)
+def test_duplicate_entry_rejected(python_bindings, python_repo, body_kwargs, expected_msg):
+    """
+    Creating a duplicate entry should fail.
+    """
+    python_bindings.RepositoriesPythonBlocklistEntriesApi.create(
+        python_repo.pulp_href, python_bindings.PythonPythonBlocklistEntry(**body_kwargs)
+    )
+    with pytest.raises(python_bindings.ApiException) as ctx:
+        python_bindings.RepositoriesPythonBlocklistEntriesApi.create(
+            python_repo.pulp_href, python_bindings.PythonPythonBlocklistEntry(**body_kwargs)
+        )
+    assert ctx.value.status == 400
+    assert expected_msg in ctx.value.body
+
+
+@pytest.mark.parallel
+@pytest.mark.parametrize(
+    "body_kwargs, expected_msg",
+    [
+        ({"version": "0.1", "filename": PYTHON_EGG_FILENAME}, "version' cannot be used with"),
+        ({"version": "0.1"}, "version' requires 'name'"),
+        ({"name": "shelf-reader", "filename": PYTHON_EGG_FILENAME}, "Exactly one of"),
+        ({}, "Exactly one of"),
+        ({"name": "shelf-reader", "version": "not-a-version"}, "not a valid version"),
+    ],
+)
+def test_invalid_entry_rejected(python_bindings, python_repo, body_kwargs, expected_msg):
+    """
+    Creating an entry with invalid data should fail.
+    """
+    with pytest.raises(python_bindings.ApiException) as ctx:
+        python_bindings.RepositoriesPythonBlocklistEntriesApi.create(
+            python_repo.pulp_href, python_bindings.PythonPythonBlocklistEntry(**body_kwargs)
+        )
+    assert ctx.value.status == 400
+    assert expected_msg in ctx.value.body
+
+
+@pytest.mark.parallel
+def test_upload_blocked(monitor_task, python_bindings, python_repo):
+    """
+    Uploading a package matching a blocklist entry is rejected.
+    """
+    python_bindings.RepositoriesPythonBlocklistEntriesApi.create(
+        python_repo.pulp_href,
+        python_bindings.PythonPythonBlocklistEntry(name="shelf-reader", version="0.1"),
+    )
+
+    with pytest.raises(PulpTaskError) as exc:
+        response = python_bindings.ContentPackagesApi.create(
+            repository=python_repo.pulp_href, **CONTENT_BODY
+        )
+        monitor_task(response.task)
+    assert BLOCKED_MSG in exc.value.task.error["description"]
+
+    repo = python_bindings.RepositoriesPythonApi.read(python_repo.pulp_href)
+    assert repo.latest_version_href.endswith("/0/")
+
+
+@pytest.mark.parallel
+def test_upload_allowed(monitor_task, python_bindings, python_repo):
+    """
+    Uploading a package is allowed when the blocklist entry targets a different version.
+    """
+    python_bindings.RepositoriesPythonBlocklistEntriesApi.create(
+        python_repo.pulp_href,
+        python_bindings.PythonPythonBlocklistEntry(name="shelf-reader", version="9.9"),
+    )
+
+    response = python_bindings.ContentPackagesApi.create(
+        repository=python_repo.pulp_href, **CONTENT_BODY
+    )
+    monitor_task(response.task)
+
+    repo = python_bindings.RepositoriesPythonApi.read(python_repo.pulp_href)
+    assert repo.latest_version_href.endswith("/1/")
+
+
+@pytest.mark.parallel
+def test_modify_blocked(monitor_task, python_bindings, python_repo):
+    """
+    Adding a blocklisted package via repository modify is rejected.
+    """
+    python_bindings.RepositoriesPythonBlocklistEntriesApi.create(
+        python_repo.pulp_href,
+        python_bindings.PythonPythonBlocklistEntry(name="shelf-reader", version="0.1"),
+    )
+
+    response = python_bindings.ContentPackagesApi.create(**CONTENT_BODY)
+    task = monitor_task(response.task)
+    content = python_bindings.ContentPackagesApi.read(task.created_resources[0])
+
+    with pytest.raises(python_bindings.ApiException) as exc:
+        python_bindings.RepositoriesPythonApi.modify(
+            python_repo.pulp_href, {"add_content_units": [content.pulp_href]}
+        )
+    assert exc.value.status == 400
+    assert BLOCKED_MSG in exc.value.body
+
+    repo = python_bindings.RepositoriesPythonApi.read(python_repo.pulp_href)
+    assert repo.latest_version_href.endswith("/0/")

{pulp_python-3.28.1 → pulp_python-3.29.0}/pulp_python.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulp-python
-Version: 3.28.1
+Version: 3.29.0
 Summary: pulp-python plugin for the Pulp Project
 Author-email: Pulp Team <pulp-list@redhat.com>
 Project-URL: Homepage, https://pulpproject.org

{pulp_python-3.28.1 → pulp_python-3.29.0}/pulp_python.egg-info/SOURCES.txt

@@ -52,6 +52,7 @@ pulp_python/app/migrations/0018_packageprovenance.py
 pulp_python/app/migrations/0019_create_missing_metadata_artifacts.py
 pulp_python/app/migrations/0020_pythonpackagecontent_name_normalized.py
 pulp_python/app/migrations/0021_pythonrepository_upload_duplicate_filenames.py
+pulp_python/app/migrations/0022_pythonblocklistentry.py
 pulp_python/app/migrations/__init__.py
 pulp_python/app/pypi/__init__.py
 pulp_python/app/pypi/serializers.py
@@ -72,6 +73,7 @@ pulp_python/tests/functional/utils.py
 pulp_python/tests/functional/api/__init__.py
 pulp_python/tests/functional/api/test_attestations.py
 pulp_python/tests/functional/api/test_auto_publish.py
+pulp_python/tests/functional/api/test_blocklist.py
 pulp_python/tests/functional/api/test_consume_content.py
 pulp_python/tests/functional/api/test_crud_content_unit.py
 pulp_python/tests/functional/api/test_crud_publications.py

{pulp_python-3.28.1 → pulp_python-3.29.0}/pyproject.toml

@@ -7,7 +7,7 @@ build-backend = 'setuptools.build_meta'
 
 [project]
 name = "pulp-python"
-version = "3.28.1"
+version = "3.29.0"
 description = "pulp-python plugin for the Pulp Project"
 readme = "README.md"
 authors = [
@@ -79,7 +79,7 @@ ignore = [
 [tool.bumpversion]
 # This section is managed by the plugin template. Do not edit manually.
 
-current_version = "3.28.1"
+current_version = "3.29.0"
 commit = false
 tag = false
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<alpha>0a)?(?P<patch>\\d+)(\\.(?P<release>[a-z]+))?"