Pin click to z-streams

.ci/nginx.conf.j2

@@ -1,9 +1,6 @@
 # Copy from pulp-oci-images.
 # Ideally we can get it upstream again.
 #
-# TODO: Support IPv6.
-# TODO: Maybe serve multiple `location`s, not just one.
-
 # The "nginx" package on fedora creates this user and group.
 user nginx nginx;
 # Gunicorn docs suggest this value.
@@ -24,10 +21,12 @@ http {
     # to build optimal hash types.
     types_hash_max_size 4096;
 
+    {%- if https | default(false) %}
     map $ssl_client_s_dn $ssl_client_s_dn_cn {
         default "";
         ~CN=(?<CN>[^,]+) $CN;
     }
+    {%- endif %}
 
     upstream pulp-content {
          server 127.0.0.1:24816;
@@ -85,7 +84,9 @@ http {
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header Host $http_host;
+            {%- if https | default(false) %}
             proxy_set_header Remoteuser $ssl_client_s_dn_cn;
+            {%- endif %}
             # we don't want nginx trying to do something clever with
             # redirects, we set the Host: header above already.
             proxy_redirect off;
@@ -136,6 +137,25 @@ http {
             try_files $uri $uri/ =404;
         }
         {%- endif %}
+        {% if https | default(false) -%}
+        location /oauth2token/ {
+            auth_basic "Tokens, Tokens, Tokens";
+            auth_basic_user_file /etc/pulp/certs/oauth2passwd;
+            if ($request_method !~ POST) {
+                # This still triggers earlier than the auth_basic in the outer block.
+                return 403;
+            }
+            try_files /dev/null @oauth2token;
+        }
+        # Nginx "return" kicks in before basic_auth, so we must use it in a separate block.
+        # https://stackoverflow.com/questions/67975464/why-doesnt-basic-auth-work-with-a-simple-nginx-return-statement
+        location @oauth2token {
+            default_type application/json;
+            charset utf-8;
+
+            return 200 '{"access_token": "DEADBEEF", "token_type": "bearer", "expires_in": 30}';
+        }
+        {%- endif %}
     }
     {%- if https | default(false) %}
     server {

.ci/run_container.sh

@@ -50,7 +50,8 @@ else
 fi;
 
 mkdir -p "${PULP_CLI_TEST_TMPDIR}/settings/certs"
-cp "${BASEPATH}/settings/settings.py" "${PULP_CLI_TEST_TMPDIR}/settings"
+cp "${BASEPATH}/settings/settings.py" "${PULP_CLI_TEST_TMPDIR}/settings/settings.py"
+echo "service_acct:$(openssl passwd secret)" > "${PULP_CLI_TEST_TMPDIR}/settings/certs/oauth2passwd"
 
 if [ -z "${PULP_HTTPS:+x}" ]
 then
@@ -65,20 +66,18 @@ else
   export PULP_CA_BUNDLE="${PULP_CLI_TEST_TMPDIR}/settings/certs/ca.pem"
   ln -fs server.pem "${PULP_CLI_TEST_TMPDIR}/settings/certs/pulp_webserver.crt"
   ln -fs server.key "${PULP_CLI_TEST_TMPDIR}/settings/certs/pulp_webserver.key"
-  {
-    echo "AUTHENTICATION_BACKENDS = '@merge django.contrib.auth.backends.RemoteUserBackend'"
-    echo "MIDDLEWARE  = '@merge django.contrib.auth.middleware.RemoteUserMiddleware'"
-    echo "REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES = '@merge pulpcore.app.authentication.PulpRemoteUserAuthentication'"
-    echo "REMOTE_USER_ENVIRON_NAME = 'HTTP_REMOTEUSER'"
-  } >> "${PULP_CLI_TEST_TMPDIR}/settings/settings.py"
 fi
 export PULP_CONTENT_ORIGIN
 
 "${CONTAINER_RUNTIME}" \
   run ${RM:+--rm} \
   --env S6_KEEP_ENV=1 \
+  ${OAS_VERSION:+--env PULP_SPECTACULAR_SETTINGS__OAS_VERSION="${OAS_VERSION}"} \
   ${PULP_HTTPS:+--env PULP_HTTPS} \
+  ${PULP_OAUTH2:+--env PULP_OAUTH2} \
   ${PULP_API_ROOT:+--env PULP_API_ROOT} \
+  ${PULP_DOMAIN_ENABLED:+--env PULP_DOMAIN_ENABLED} \
+  ${PULP_ENABLED_PLUGINS:+--env PULP_ENABLED_PLUGINS} \
   --env PULP_CONTENT_ORIGIN \
   --detach \
   --name "pulp-ephemeral" \

.ci/scripts/check_click_for_mypy.py

@@ -1,11 +1,9 @@
 #!/bin/env python3
 
-import sys
-
 import click
 from packaging.version import parse
 
 if parse(click.__version__) < parse("8.1.1") or parse(click.__version__) >= parse("8.2"):
     print("🚧 Linting with mypy is currently only supported with click~=8.1.1. 🚧")
     print("🔧 Please run `pip install click~=8.1.1` first. 🔨")
-    sys.exit(1)
+    exit(1)

.ci/settings/settings.py

@@ -1,3 +1,58 @@
+import os
+
 ALLOWED_EXPORT_PATHS = ["/tmp"]
 ANALYTICS = False
 ALLOWED_CONTENT_CHECKSUMS = ["sha1", "sha256", "sha512"]
+
+if os.environ.get("PULP_HTTPS", "false").lower() == "true":
+    AUTHENTICATION_BACKENDS = "@merge django.contrib.auth.backends.RemoteUserBackend"
+    MIDDLEWARE = "@merge django.contrib.auth.middleware.RemoteUserMiddleware"
+    REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES = (
+        "@merge pulpcore.app.authentication.PulpRemoteUserAuthentication"
+    )
+    REMOTE_USER_ENVIRON_NAME = "HTTP_REMOTEUSER"
+
+if os.environ.get("PULP_OAUTH2", "false").lower() == "true":
+    assert os.environ.get("PULP_HTTPS", "false").lower() == "true"
+
+    def PulpCliFakeOauth2Authentication(*args, **kwargs):
+        # We need to lazy load this.
+        # Otherwise views may be instanciated, before this configuration is merged.
+
+        from django.contrib.auth import authenticate
+        from drf_spectacular.extensions import OpenApiAuthenticationExtension
+        from rest_framework.authentication import BaseAuthentication
+
+        class _PulpCliFakeOauth2Authentication(BaseAuthentication):
+            def authenticate(self, request):
+                auth_header = request.META.get("HTTP_AUTHORIZATION")
+                if auth_header == "Bearer DEADBEEF":
+                    return authenticate(request, remote_user="admin"), None
+                else:
+                    return None
+
+            def authenticate_header(self, request):
+                return 'Bearer realm="Pulp"'
+
+        class PulpCliFakeOauth2AuthenticationScheme(OpenApiAuthenticationExtension):
+            target_class = _PulpCliFakeOauth2Authentication
+            name = "PulpCliFakeOauth2"
+
+            def get_security_definition(self, auto_schema):
+                return {
+                    "type": "oauth2",
+                    "flows": {
+                        "clientCredentials": {
+                            "tokenUrl": "https://localhost:8080/oauth2token/",
+                            "scopes": {"api.console": "grant_access_to_pulp"},
+                        },
+                    },
+                }
+
+        return _PulpCliFakeOauth2Authentication(*args, **kwargs)
+
+    PULP_CLI_FAKE_OAUTH2_AUTHENTICATION = PulpCliFakeOauth2Authentication
+
+    REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES = (
+        "@merge pulpcore.app.settings.PULP_CLI_FAKE_OAUTH2_AUTHENTICATION"
+    )

.github/dependabot.yml

@@ -1,23 +1,25 @@
+---
 version: 2
 updates:
-- package-ecosystem: pip
+- package-ecosystem: "pip"
   directory: "/"
   schedule:
-    interval: daily
+    interval: "daily"
   commit-message:
     prefix: "[PIP] "
   open-pull-requests-limit: 10
-- package-ecosystem: pip
+- package-ecosystem: "pip"
   directory: "/pulp-glue"
   schedule:
-    interval: daily
+    interval: "daily"
   commit-message:
     prefix: "[PIP] "
   open-pull-requests-limit: 10
-- package-ecosystem: github-actions
+- package-ecosystem: "github-actions"
   directory: "/"
   schedule:
-    interval: weekly
+    interval: "weekly"
   commit-message:
     prefix: "[GHA] "
   open-pull-requests-limit: 10
+...

.github/workflows/cookiecutter.yml

@@ -0,0 +1,58 @@
+---
+name: "Update CI from cookiecutter"
+on:
+  workflow_dispatch:
+
+defaults:
+  run:
+    working-directory: "pulp-cli"
+
+jobs:
+  update-ci:
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v4"
+        with:
+          repository: "pulp/pulp-cli"
+          path: "pulp-cli"
+      - uses: "actions/checkout@v4"
+        with:
+          token: "${{ secrets.RELEASE_TOKEN }}"
+          path: "pulp-cli"
+      - name: "Set up Python"
+        uses: "actions/setup-python@v5"
+        with:
+          python-version: "3.11"
+      - name: "Setup git"
+        run: |
+          git config user.name pulpbot
+          git config user.email pulp-infra@redhat.com
+      - name: "Install python dependencies"
+        run: |
+          pip install cookiecutter tomlkit
+      - name: "Apply cookiecutter templates"
+        run: |
+          ../pulp-cli/cookiecutter/apply_templates.py
+          if [ "$(git status --porcelain)" ]
+          then
+            git add .
+            git commit -m "Update cookiecutter"
+          fi
+      - name: "Create Pull Request"
+        uses: "peter-evans/create-pull-request@v7"
+        id: "create_pr"
+        with:
+          token: "${{ secrets.RELEASE_TOKEN }}"
+          title: "Update cookiecutter"
+          body: ""
+          branch: "update_cookiecutter"
+          delete-branch: true
+          path: "pulp-cli"
+      - name: "Mark PR automerge"
+        run: |
+          gh pr merge --rebase --auto "${{ steps.create_pr.outputs.pull-request-number }}"
+        if: "steps.create_pr.outputs.pull-request-number"
+        env:
+          GH_TOKEN: "${{ secrets.RELEASE_TOKEN }}"
+        continue-on-error: true
+...

.github/workflows/docs.yml

@@ -6,7 +6,7 @@ on:
 jobs:
   test:
     if: "endsWith(github.base_ref, 'main')"
-    runs-on: "ubuntu-20.04"
+    runs-on: "ubuntu-24.04"
     steps:
       - uses: "actions/checkout@v4"
       - uses: "actions/cache@v4"
@@ -19,7 +19,7 @@ jobs:
       - name: "Set up Python"
         uses: "actions/setup-python@v5"
         with:
-          python-version: "3.11"
+          python-version: "3.13"
       - name: "Install Test Dependencies"
         run: |
           pip install -r doc_requirements.txt
@@ -28,7 +28,7 @@ jobs:
           make docs
   no-test:
     if: "!endsWith(github.base_ref, 'main')"
-    runs-on: "ubuntu-20.04"
+    runs-on: "ubuntu-latest"
     steps:
       - run: |
           echo "Skip docs testing on non-main branches."

.github/workflows/lint.yml

@@ -12,7 +12,7 @@ jobs:
       matrix:
         python:
           - "3.11"
-          - "3.12"
+          - "3.13"
     steps:
       - uses: "actions/checkout@v4"
       - uses: "actions/cache@v4"

.github/workflows/release_branch.yml

@@ -8,6 +8,8 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
       - uses: "actions/checkout@v4"
+        with:
+          token: "${{ secrets.RELEASE_TOKEN }}"
       - name: "Set up Python"
         uses: "actions/setup-python@v5"
         with:

.github/workflows/test.yml

@@ -12,7 +12,7 @@ env:
 
 jobs:
   test:
-    runs-on: "ubuntu-20.04"
+    runs-on: "ubuntu-24.04"
     strategy:
       fail-fast: false
       matrix:
@@ -60,6 +60,10 @@ jobs:
           if [ "${{matrix.lower_bounds}}" ]
           then
             pip install dist/pulp_cli-*.whl pulp-glue/dist/pulp_glue-*.whl -r test_requirements.txt -c lower_bounds_constraints.lock
+          elif [ "${{matrix.upper_bounds}}" ]
+          then
+            .ci/scripts/calc_constraints.py pyproject.toml pulp-glue/pyproject.toml  --upper > upper_bounds_constraints.lock
+            pip install dist/pulp_cli-*.whl pulp-glue/dist/pulp_glue-*.whl -r test_requirements.txt -c upper_bounds_constraints.lock
           else
             pip install dist/pulp_cli-*.whl pulp-glue/dist/pulp_glue-*.whl -r test_requirements.txt
           fi
@@ -70,7 +74,11 @@ jobs:
           FROM_TAG: "${{ matrix.from_tag }}"
           CONTAINER_FILE: "${{ matrix.container_file }}"
           PULP_HTTPS: "${{ matrix.pulp_https }}"
+          PULP_OAUTH2: "${{ matrix.pulp_oauth2 }}"
           PULP_API_ROOT: "${{ matrix.pulp_api_root }}"
+          PULP_DOMAIN_ENABLED: "${{ matrix.pulp_domain_enabled }}"
+          PULP_ENABLED_PLUGINS: "${{ matrix.pulp_enabled_plugins }}"
+          OAS_VERSION: "${{ matrix.oas_version }}"
         run: |
           .ci/run_container.sh make test
 ...

CHANGES/+click.dependency.bugfix

@@ -0,0 +1 @@
+Adjust click dependency constraints to breaking changes in y-releases.

Makefile

@@ -13,7 +13,9 @@ build:
 	cd pulp-glue; pyproject-build -n
 	pyproject-build -n
 
-black:
+black: format
+
+format:
 	isort .
 	cd pulp-glue; isort .
 	black .
@@ -36,11 +38,20 @@ tests/cli.toml:
 test: | tests/cli.toml
 	python3 -m pytest -v tests pulp-glue/tests
 
+livetest: | tests/cli.toml
+	python3 -m pytest -v tests pulp-glue/tests -m live
+
+unittest:
+	python3 -m pytest -v tests pulp-glue/tests -m "not live"
+
+unittest_glue:
+	python3 -m pytest -v pulp-glue/tests -m "not live"
+
 docs:
 	pulp-docs build
 
 servedocs:
-	pulp-docs serve -w CHANGES.md -w pulp-glue/pulp_glue -w pulpcore/cli/common/generic.py
+	pulp-docs serve -w CHANGES.md -w pulp-glue/pulp_glue -w pulp_cli/generic.py
 
 pulp-glue/pulp_glue/%/locale/messages.pot: pulp-glue/pulp_glue/%/*.py
 	xgettext -d $* -o $@ pulp-glue/pulp_glue/$*/*.py

pulp-glue/pyproject.toml

@@ -1,5 +1,5 @@
 [build-system]
-requires = ["setuptools"]
+requires = ["setuptools<81"]
 build-backend = "setuptools.build_meta"
 
 [project]
@@ -24,7 +24,7 @@ classifiers = [
 ]
 dependencies = [
   "importlib_resources>=5.4.0,<6.2;python_version<'3.9'",
-  "packaging>=20.0,<=24.2",  # CalVer
+  "packaging>=20.0,<=25.0",  # CalVer
   "requests>=2.24.0,<2.33",
 ]