pulpcore 3.83.2__py3-none-any.whl → 3.85.0__py3-none-any.whl

pulpcore/app/migrations/0138_vulnerabilityreport.py

@@ -0,0 +1,33 @@
+# Generated by Django 4.2.19 on 2025-08-07 00:07
+
+from django.db import migrations, models
+import django.db.models.deletion
+import django_lifecycle.mixins
+import pulpcore.app.models.base
+import pulpcore.app.util
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0137_appstatus'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='VulnerabilityReport',
+            fields=[
+                ('pulp_id', models.UUIDField(default=pulpcore.app.models.base.pulp_uuid, editable=False, primary_key=True, serialize=False)),
+                ('pulp_created', models.DateTimeField(auto_now_add=True)),
+                ('pulp_last_updated', models.DateTimeField(auto_now=True, null=True)),
+                ('vulns', models.JSONField()),
+                ('content', models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, to='core.content')),
+                ('pulp_domain', models.ForeignKey(default=pulpcore.app.util.get_domain_pk, on_delete=django.db.models.deletion.CASCADE, to='core.domain')),
+                ('repo_versions', models.ManyToManyField(blank=True, to='core.repositoryversion')),
+            ],
+            options={
+                'default_related_name': '%(app_label)s_%(model_name)s',
+            },
+            bases=(django_lifecycle.mixins.LifecycleModelMixin, models.Model),
+        ),
+    ]

pulpcore/app/models/__init__.py

@@ -69,7 +69,7 @@ from .repository import (
     RepositoryVersionContentDetails,
 )
 
-from .status import ApiAppStatus, ContentAppStatus
+from .status import AppStatus, ApiAppStatus, ContentAppStatus
 
 from .task import (
     CreatedResource,
@@ -87,6 +87,8 @@ from .upload import (
     UploadChunk,
 )
 
+from .vulnerability_report import VulnerabilityReport
+
 # Moved here to avoid a circular import with Task
 from .progress import GroupProgressReport, ProgressReport
 
@@ -170,4 +172,5 @@ __all__ = [
     "OpenPGPSignature",
     "OpenPGPUserAttribute",
     "OpenPGPUserID",
+    "VulnerabilityReport",
 ]

pulpcore/app/models/publication.py

@@ -576,47 +576,6 @@ class CompositeContentGuard(ContentGuard, AutoAddObjPermsMixin):
         )
 
 
-class BaseDistribution(MasterModel):
-    """
-    A distribution defines how a publication is distributed by the Content App.
-
-    This abstract model can be used by plugin writers to create concrete distributions that are
-    stored in separate tables from the Distributions provided by pulpcore.
-
-    The `name` must be unique.
-
-    The ``base_path`` must have no overlapping components. So if a Distribution with ``base_path``
-    of ``a/path/foo`` existed, you could not make a second Distribution with a ``base_path`` of
-    ``a/path`` or ``a`` because both are subpaths of ``a/path/foo``.
-
-    Note:
-        This class is no longer supported and cannot be removed from Pulp 3 due to possible
-        problems with old migrations for plugins. Until the migrations are squashed, this class
-        should be preserved.
-
-    Fields:
-        name (models.TextField): The name of the distribution. Examples: "rawhide" and "stable".
-        base_path (models.TextField): The base (relative) path component of the published url.
-
-    Relations:
-        content_guard (models.ForeignKey): An optional content-guard.
-        remote (models.ForeignKey): A remote that the content app can use to find content not
-            yet stored in Pulp.
-    """
-
-    name = models.TextField(db_index=True, unique=True)
-    base_path = models.TextField(unique=True)
-
-    content_guard = models.ForeignKey(ContentGuard, null=True, on_delete=models.SET_NULL)
-    remote = models.ForeignKey(Remote, null=True, on_delete=models.SET_NULL)
-
-    def __init__(self, *args, **kwargs):
-        raise Exception(
-            "BaseDistribution is no longer supported. "
-            "Please use pulpcore.plugin.models.Distribution instead."
-        )
-
-
 class Distribution(MasterModel):
     """
     A Distribution defines how the Content App distributes a publication or repository_version.

pulpcore/app/models/status.py

@@ -6,7 +6,9 @@ from datetime import timedelta
 
 from django.conf import settings
 from django.contrib.postgres.fields import HStoreField
+from django.contrib.postgres.functions import TransactionNow
 from django.db import models
+from django.db.models import F, Value
 from django.utils import timezone
 
 from pulpcore.app.models import BaseModel
@@ -47,9 +49,138 @@ class AppStatusManager(models.Manager):
         return self.filter(last_heartbeat__lt=age_threshold)
 
 
+class _AppStatusManager(AppStatusManager):
+    # This is an intermediate class in order to allow a ZDU.
+    # It should be removed from the chain with 3.87.
+    def create(self, app_type, **kwargs):
+        if app_type == "api":
+            old_obj = ApiAppStatus.objects.create(**kwargs)
+        elif app_type == "worker":
+            from pulpcore.app.models import Worker
+
+            old_obj = Worker.objects.create(**kwargs)
+        else:
+            raise NotImplementedError(f"Invalid app_type: {app_type}")
+        obj = super().create(app_type=app_type, **kwargs)
+        obj._old_status = old_obj
+        return obj
+
+    async def acreate(self, app_type, **kwargs):
+        if app_type == "content":
+            old_obj = await ContentAppStatus.objects.acreate(**kwargs)
+        else:
+            raise NotImplementedError(f"Invalid app_type: {app_type}")
+        obj = await super().acreate(app_type=app_type, **kwargs)
+        obj._old_status = old_obj
+        return obj
+
+    def online(self):
+        """
+        Returns a queryset of objects that are online.
+        """
+        return self.filter(last_heartbeat__gte=TransactionNow() - F("ttl"))
+
+    def missing(self):
+        """
+        Returns a queryset of workers that are missing.
+        """
+        return self.filter(last_heartbeat__lt=TransactionNow() - F("ttl"))
+
+    def older_than(self, age):
+        """
+        Returns a queryset of workers that are older than age.
+        """
+        return self.filter(last_heartbeat__lt=TransactionNow() - Value(age))
+
+
+class AppStatus(BaseModel):
+    APP_TYPES = [
+        ("api", "api"),
+        ("content", "content"),
+        ("worker", "worker"),
+    ]
+    _APP_TTL = {
+        "api": settings.API_APP_TTL,
+        "content": settings.CONTENT_APP_TTL,
+        "worker": settings.WORKER_TTL,
+    }
+    objects = _AppStatusManager()
+
+    app_type = models.CharField(max_length=10, choices=APP_TYPES)
+    name = models.TextField(db_index=True, unique=True)
+    versions = HStoreField(default=dict)
+    ttl = models.DurationField(null=False)
+    last_heartbeat = models.DateTimeField(auto_now=True)
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.ttl = timedelta(seconds=self._APP_TTL[self.app_type])
+        self._old_status = None
+
+    def delete(self, *args, **kwargs):
+        # adelete will call into this, so we should not replicate that one here.
+        if self._old_status is not None:
+            self._old_status.delete(*args, **kwargs)
+        super().delete(*args, **kwargs)
+
+    @property
+    def online(self) -> bool:
+        """
+        To be considered 'online', an app must have a timestamp more recent than ``self.ttl``.
+        """
+        age_threshold = timezone.now() - self.ttl
+        return self.last_heartbeat >= age_threshold
+
+    @property
+    def missing(self):
+        """
+        Whether an app can be considered 'missing'
+
+        To be considered 'missing', an App must have a timestamp older than ``self.ttl``.
+
+        Returns:
+            bool: True if the app is considered missing, otherwise False
+        """
+        return not self.online
+
+    def save_heartbeat(self):
+        """
+        Update the last_heartbeat field to now and save it.
+
+        Only the last_heartbeat field will be saved. No other changes will be saved.
+
+        Raises:
+            ValueError: When the model instance has never been saved before. This method can
+                only update an existing database record.
+        """
+        self._old_status.save_heartbeat()
+        self.save(update_fields=["last_heartbeat"])
+
+    async def asave_heartbeat(self):
+        """
+        Update the last_heartbeat field to now and save it.
+
+        Only the last_heartbeat field will be saved. No other changes will be saved.
+
+        Raises:
+            ValueError: When the model instance has never been saved before. This method can
+                only update an existing database record.
+        """
+        await self._old_status.asave_heartbeat()
+        await self.asave(update_fields=["last_heartbeat"])
+
+    @property
+    def current_task(self):
+        """
+        The task this worker is currently executing, if any.
+        """
+        return self.tasks.filter(state="running").first()
+
+
 class BaseAppStatus(BaseModel):
     """
     Represents an AppStatus.
+    Deprecated, to be removed with 3.87.
 
     This class is abstract. Subclasses must define `APP_TTL` as a `timedelta`.
 
@@ -103,6 +234,18 @@ class BaseAppStatus(BaseModel):
         """
         self.save(update_fields=["last_heartbeat"])
 
+    async def asave_heartbeat(self):
+        """
+        Update the last_heartbeat field to now and save it.
+
+        Only the last_heartbeat field will be saved. No other changes will be saved.
+
+        Raises:
+            ValueError: When the model instance has never been saved before. This method can
+                only update an existing database record.
+        """
+        await self.asave(update_fields=["last_heartbeat"])
+
     class Meta:
         abstract = True
 
@@ -110,6 +253,7 @@ class BaseAppStatus(BaseModel):
 class ApiAppStatus(BaseAppStatus):
     """
     Represents a Api App Status
+    Deprecated, to be removed with 3.87.
     """
 
     APP_TTL = timedelta(seconds=settings.API_APP_TTL)
@@ -118,6 +262,7 @@ class ApiAppStatus(BaseAppStatus):
 class ContentAppStatus(BaseAppStatus):
     """
     Represents a Content App Status
+    Deprecated, to be removed with 3.87.
     """
 
     APP_TTL = timedelta(seconds=settings.CONTENT_APP_TTL)

pulpcore/app/models/task.py

@@ -9,6 +9,7 @@ from gettext import gettext as _
 
 from django.conf import settings
 from django.contrib.postgres.fields import ArrayField, HStoreField
+from django.contrib.postgres.indexes import GinIndex
 from django.core.serializers.json import DjangoJSONEncoder
 from django.db import connection, models
 from django.utils import timezone
@@ -32,6 +33,7 @@ _logger = logging.getLogger(__name__)
 class Worker(BaseAppStatus):
     """
     Represents a worker
+    Deprecated, to be removed with 3.87.
     """
 
     APP_TTL = timedelta(seconds=settings.WORKER_TTL)
@@ -348,6 +350,12 @@ class Task(BaseModel, AutoAddObjPermsMixin):
             models.Index(fields=["unblocked_at"]),
             models.Index(fields=["state"]),
             models.Index(fields=["state", "pulp_created"]),
+            GinIndex(
+                name="pulp_task_resources_index",
+                fields=["reserved_resources_record"],
+                condition=~models.Q(state__in=["completed", "failed", "canceled", "skipped"]),
+                opclasses=["array_ops"],
+            ),
         ]
         permissions = [
             ("manage_roles_task", "Can manage role assignments on task"),

pulpcore/app/models/vulnerability_report.py

@@ -0,0 +1,34 @@
+from django.db import models
+
+from pulpcore.app.models.base import BaseModel
+from pulpcore.app.util import get_domain_pk
+
+
+class VulnerabilityReport(BaseModel):
+    """
+    A model for storing vulnerability reports for Content/RepositoryVersion.
+
+    Fields:
+        vulns (models.JSONField): A JSON field containing the list of vulnerabilities found
+            in osv.dev.
+
+    Relations:
+        content (models.OneToOneField): The Content object that was scanned for vulnerabilities.
+        pulp_domain (models.ForeignKey): The Domain this vulnerability report belongs to,
+            providing multi-tenancy isolation.
+        repo_versions (models.ManyToManyField): The RepositoryVersion(s) where the scanned
+            Content appears. This allows tracking which repository versions contain
+            vulnerable content.
+    """
+
+    content = models.OneToOneField(
+        "Content",
+        on_delete=models.CASCADE,
+        unique=True,
+    )
+    vulns = models.JSONField()
+    pulp_domain = models.ForeignKey("Domain", default=get_domain_pk, on_delete=models.CASCADE)
+    repo_versions = models.ManyToManyField("RepositoryVersion", blank=True)
+
+    class Meta:
+        default_related_name = "%(app_label)s_%(model_name)s"

pulpcore/app/serializers/__init__.py

@@ -121,6 +121,7 @@ from .user import (
     UserSerializer,
 )
 from .replica import UpstreamPulpSerializer
+from .vulnerability_report import VulnerabilityReportSerializer
 from .openpgp import (
     OpenPGPDistributionSerializer,
     OpenPGPKeyringSerializer,

pulpcore/app/serializers/content.py

@@ -5,7 +5,13 @@ from rest_framework import serializers
 from rest_framework.validators import UniqueValidator
 
 from pulpcore.app import models
-from pulpcore.app.serializers import base, fields, pulp_labels_validator, DetailRelatedField
+from pulpcore.app.serializers import (
+    base,
+    fields,
+    pulp_labels_validator,
+    DetailRelatedField,
+    RelatedField,
+)
 from pulpcore.app.util import get_domain
 
 
@@ -27,6 +33,11 @@ class NoArtifactContentSerializer(base.ModelSerializer):
         view_name_pattern=r"repositories(-.*/.*)-detail",
         queryset=models.Repository.objects.all(),
     )
+    vuln_report = RelatedField(
+        read_only=True,
+        view_name="vuln_report-detail",
+        source="core_vulnerabilityreport",
+    )
 
     def get_artifacts(self, validated_data):
         """
@@ -116,6 +127,7 @@ class NoArtifactContentSerializer(base.ModelSerializer):
         fields = base.ModelSerializer.Meta.fields + (
             "repository",
             "pulp_labels",
+            "vuln_report",
         )
 
 

pulpcore/app/serializers/repository.py

@@ -7,7 +7,7 @@ from rest_framework import fields, serializers
 from rest_framework_nested.serializers import NestedHyperlinkedModelSerializer
 
 from pulpcore.app import models, settings
-from pulpcore.app.util import get_prn
+from pulpcore.app.util import get_prn, reverse
 from pulpcore.app.serializers import (
     DetailIdentityField,
     DetailRelatedField,
@@ -490,6 +490,12 @@ class RepositoryVersionSerializer(ModelSerializer, NestedHyperlinkedModelSeriali
         source="*",
         read_only=True,
     )
+    vuln_report = serializers.SerializerMethodField(
+        read_only=True,
+    )
+
+    def get_vuln_report(self, object):
+        return f"{reverse('vuln_report-list')}?repository_version={get_prn(object)}"
 
     class Meta:
         model = models.RepositoryVersion
@@ -499,6 +505,7 @@ class RepositoryVersionSerializer(ModelSerializer, NestedHyperlinkedModelSeriali
             "repository",
             "base_version",
             "content_summary",
+            "vuln_report",
         )
 
 

pulpcore/app/serializers/vulnerability_report.py

@@ -0,0 +1,27 @@
+from rest_framework import serializers
+
+from pulpcore.app.models import VulnerabilityReport
+from pulpcore.app.serializers import (
+    DetailRelatedField,
+    IdentityField,
+    ModelSerializer,
+    RepositoryVersionRelatedField,
+)
+
+
+class VulnerabilityReportSerializer(ModelSerializer):
+    """
+    A serializer for the VulnerabilityReport Model.
+    """
+
+    vulns = serializers.JSONField()
+    pulp_href = IdentityField(view_name="vuln_report-detail")
+    content = DetailRelatedField(
+        read_only=True,
+        view_name_pattern=r"content(-.*/.*)-detail",
+    )
+    repo_versions = RepositoryVersionRelatedField(many=True, required=False)
+
+    class Meta:
+        model = VulnerabilityReport
+        fields = ModelSerializer.Meta.fields + ("vulns", "repo_versions", "content")

pulpcore/app/settings.py

@@ -12,12 +12,11 @@ import sys
 
 from contextlib import suppress
 from importlib import import_module
+from importlib.metadata import entry_points
 from logging import getLogger
 from pathlib import Path
 
 from cryptography.fernet import Fernet
-from django.core.files.storage import storages
-from django.conf import global_settings
 from django.core.exceptions import ImproperlyConfigured
 from django.db import connection
 from dynaconf import DjangoDynaconf, Dynaconf, Validator
@@ -32,12 +31,6 @@ try:
 except ImportError:
     pass
 
-if sys.version_info < (3, 10):
-    # Python 3.9 has a rather different interface for `entry_points`.
-    # Let's use a compatibility version.
-    from importlib_metadata import entry_points
-else:
-    from importlib.metadata import entry_points
 
 # Load settings first pass before applying all the defaults to get a grip on ENABLED_PLUGINS.
 enabled_plugins_validator = Validator(
@@ -77,16 +70,7 @@ MEDIA_ROOT = str(DEPLOY_ROOT / "media")  # Django 3.1 adds support for pathlib.P
 STATIC_URL = "/assets/"
 STATIC_ROOT = DEPLOY_ROOT / STATIC_URL.strip("/")
 
-# begin compatibility layer for DEFAULT_FILE_STORAGE
-# Remove on pulpcore=3.85 or pulpcore=4.0
-
-# - What is this?
-# We shouldn't use STORAGES or DEFAULT_FILE_STORAGE directly because those are
-# mutually exclusive by django, which constraints users to use whatever we use.
-# This is a hack/workaround to set Pulp's default while still enabling users to choose
-# the legacy or the new storage setting.
-_DEFAULT_FILE_STORAGE = "pulpcore.app.models.storage.FileSystem"
-_STORAGES = {
+STORAGES = {
     "default": {
         "BACKEND": "pulpcore.app.models.storage.FileSystem",
     },
@@ -95,10 +79,6 @@ _STORAGES = {
     },
 }
 
-setattr(global_settings, "DEFAULT_FILE_STORAGE", _DEFAULT_FILE_STORAGE)
-setattr(global_settings, "STORAGES", _STORAGES)
-# end DEFAULT_FILE_STORAGE deprecation layer
-
 REDIRECT_TO_OBJECT_STORAGE = True
 
 WORKING_DIRECTORY = DEPLOY_ROOT / "tmp"
@@ -328,6 +308,7 @@ TASK_PROTECTION_TIME = 0
 TMPFILE_PROTECTION_TIME = 0
 
 REMOTE_USER_ENVIRON_NAME = "REMOTE_USER"
+REMOTE_USER_OPENAPI_SECURITY_SCHEME = {"type": "mutualTLS"}
 
 AUTHENTICATION_JSON_HEADER = ""
 AUTHENTICATION_JSON_HEADER_JQ_FILTER = ""
@@ -347,6 +328,7 @@ CACHE_SETTINGS = {
 REMOTE_CONTENT_FETCH_FAILURE_COOLDOWN = 5 * 60  # 5 minutes
 
 SPECTACULAR_SETTINGS = {
+    "OAS_VERSION": "3.1.1",
     "SERVE_URLCONF": ROOT_URLCONF,
     "DEFAULT_GENERATOR_CLASS": "pulpcore.openapi.PulpSchemaGenerator",
     "DEFAULT_SCHEMA_CLASS": "pulpcore.openapi.PulpAutoSchema",
@@ -424,6 +406,9 @@ KAFKA_SASL_PASSWORD = None
 # opentelemetry settings
 OTEL_ENABLED = False
 
+# VulnerabilityReport settings
+VULN_REPORT_TASK_LIMITER = 10
+
 # Replaces asyncio event loop with uvloop
 UVLOOP_ENABLED = False
 
@@ -432,19 +417,17 @@ UVLOOP_ENABLED = False
 
 # Validators
 
-storage_keys = ("STORAGES.default.BACKEND", "DEFAULT_FILE_STORAGE")
 storage_validator = (
     Validator("REDIRECT_TO_OBJECT_STORAGE", eq=False)
-    | Validator(*storage_keys, eq="pulpcore.app.models.storage.FileSystem")
-    | Validator(*storage_keys, eq="storages.backends.azure_storage.AzureStorage")
-    | Validator(*storage_keys, eq="storages.backends.s3.S3Storage")
-    | Validator(*storage_keys, eq="storages.backends.s3boto3.S3Boto3Storage")
-    | Validator(*storage_keys, eq="storages.backends.gcloud.GoogleCloudStorage")
+    | Validator("STORAGES.default.BACKEND", eq="pulpcore.app.models.storage.FileSystem")
+    | Validator("STORAGES.default.BACKEND", eq="storages.backends.azure_storage.AzureStorage")
+    | Validator("STORAGES.default.BACKEND", eq="storages.backends.s3.S3Storage")
+    | Validator("STORAGES.default.BACKEND", eq="storages.backends.s3boto3.S3Boto3Storage")
+    | Validator("STORAGES.default.BACKEND", eq="storages.backends.gcloud.GoogleCloudStorage")
 )
 storage_validator.messages["combined"] = (
     "'REDIRECT_TO_OBJECT_STORAGE=True' is only supported with the local file, S3, GCP or Azure "
-    "storage backend configured in STORAGES['default']['BACKEND'] "
-    "(deprecated DEFAULT_FILE_STORAGE)."
+    "storage backend configured in STORAGES['default']['BACKEND']."
 )
 
 cache_enabled_validator = Validator("CACHE_ENABLED", eq=True)
@@ -551,14 +534,6 @@ settings = DjangoDynaconf(
     post_hooks=(otel_middleware_hook,),
 )
 
-# begin compatibility layer for DEFAULT_FILE_STORAGE
-# Remove on pulpcore=3.85 or pulpcore=4.0
-
-# Ensures the cached property storage.backends uses the the right value
-storages._backends = settings.STORAGES.copy()
-storages.backends
-# end compatibility layer
-
 _logger = getLogger(__name__)
 
 

pulpcore/app/tasks/__init__.py

@@ -25,3 +25,5 @@ from .replica import replicate_distributions
 from .repository import repair_all_artifacts
 
 from .analytics import post_analytics
+
+from .vulnerability_report import check_content

pulpcore/app/tasks/purge.py

@@ -82,17 +82,20 @@ def purge(finished_before=None, states=None, **kwargs):
         states (Optional[List[str]]): List of task-states we want to purge.
 
     """
+    scheduled = current_task.get().taskschedule_set.exists()
+
     if finished_before is None:
         assert settings.TASK_PROTECTION_TIME > 0
         finished_before = timezone.now() - timezone.timedelta(minutes=settings.TASK_PROTECTION_TIME)
     if states is None:
         states = TASK_FINAL_STATES
-    domain = get_domain()
+
     # Tasks, prior to the specified date, in the specified state, owned by the current-user, in the
     # current domain
-    candidate_qs = Task.objects.filter(
-        finished_at__lt=finished_before, state__in=states, pulp_domain=domain
-    )
+    candidate_qs = Task.objects.filter(finished_at__lt=finished_before, state__in=states)
+
+    if not scheduled:
+        candidate_qs = candidate_qs.filter(pulp_domain=get_domain())
     if "user_pk" in kwargs:
         if (user_pk := kwargs["user_pk"]) is not None:
             current_user = User.objects.get(pk=user_pk)
@@ -101,7 +104,7 @@ def purge(finished_before=None, states=None, **kwargs):
         # This is the old task signature (<= 3.74) without "user_pk".
         # Has this task not been dispatched from a task schedule? Then we assume there was a user
         # doing that.
-        if not current_task.get().taskschedule_set.exists():
+        if not scheduled:
             current_user = get_current_authenticated_user()
             if current_user is None:
                 raise RuntimeError(