Configure python SimpleView access for public domains

ref: https://issues.redhat.com/browse/PULP-1065

Author: git-hyagi

.tekton/pulp-deploy-and-test.yaml

@@ -781,6 +781,153 @@ spec:
               # Run pulp_npm functional tests
               cmd_prefix bash -c "HOME=/tmp/home PYTHONPATH=/tmp/home/.local/lib/python3.11/site-packages/ XDG_CONFIG_HOME=/tmp/home/.config API_PROTOCOL=http API_HOST=pulp-api API_PORT=8000 ADMIN_USERNAME=admin ADMIN_PASSWORD=$PASSWORD /tmp/home/.local/bin/pytest -o cache_dir=/tmp/home/.cache/pytest_cache -v -r sx --color=yes --pyargs pulp_npm.tests.functional -k 'test_pull_through_install' --junitxml=/tmp/home/junit-pulp-serial.xml" || debug_and_fail
 
+    - name: pulp-service-functional-tests
+      when:
+        - input: '$(tasks.test-metadata.results.test-event-type)'
+          operator: in
+          values: ["pull_request"]
+      runAfter:
+        - install-bindings
+      params:
+        - name: BONFIRE_IMAGE
+          value: "$(params.BONFIRE_IMAGE)"
+        - name: NS
+          value: "$(tasks.reserve-namespace.results.NS)"
+        - name: EPHEMERAL_ENV_PROVIDER_SECRET
+          value: "$(params.EPHEMERAL_ENV_PROVIDER_SECRET)"
+      taskSpec:
+        params:
+          - name: BONFIRE_IMAGE
+            type: string
+            description: The container Bonfire image to use for the tekton tasks
+            default: quay.io/redhat-user-workloads/hcc-devprod-tenant/hcc-cicd-tools/cicd-tools:834176766e3f911ffa24bfacff59dd15126e4b3a
+          - name: EPHEMERAL_ENV_PROVIDER_SECRET
+            type: string
+            default: ephemeral-env-provider
+          - name: NS
+            type: string
+            description: Namespace name to deploy the application to
+        steps:
+          - name: functional-tests
+            image: "$(params.BONFIRE_IMAGE)"
+            env:
+              - name: OC_LOGIN_TOKEN
+                valueFrom:
+                  secretKeyRef:
+                    name: $(params.EPHEMERAL_ENV_PROVIDER_SECRET)
+                    key: token
+              - name: OC_LOGIN_SERVER
+                valueFrom:
+                  secretKeyRef:
+                    name: $(params.EPHEMERAL_ENV_PROVIDER_SECRET)
+                    key: url
+              - name: NS
+                value: $(params.NS)
+            script: |
+              set -ex
+
+              login.sh
+
+              if [ -n "$NS" ]; then
+                oc_wrapper project $NS
+              else
+                export NS=$(oc_wrapper project | grep -oE 'ephemeral-......')
+              fi
+              echo "Namespace is $NS"
+
+              PASSWORD=$(oc_wrapper extract secret/pulp-admin-password --to=-)
+
+              POD=$(oc_wrapper get pod | grep -oE "pulp-api\S*")
+              echo $POD
+              oc_wrapper get pod $POD -o yaml | grep memory:
+
+              oc_wrapper get clowdenvironment env-$(oc_wrapper project | grep -oE 'ephemeral-......') -o yaml
+
+              oc_wrapper get clowdapp pulp -o yaml
+
+              ### Adapted from ./.github/workflows/scripts/utils.sh
+              # Run a command
+              cmd_prefix() {
+                oc_wrapper exec -c pulp-api deployment/pulp-api -- "$@"
+              }
+
+              # Run a command, and pass STDIN
+              cmd_stdin_prefix() {
+                oc_wrapper exec -c pulp-api -i deployment/pulp-api -- "$@"
+              }
+              ### END Adapted from ./.github/workflows/scripts/utils.sh
+
+              debug_and_fail() {
+                oc_wrapper logs $(oc_wrapper get pod | grep -oE "pulp-content\S*")
+                oc_wrapper logs $(oc_wrapper get pod | grep -oE "pulp-api\S*")
+                echo "CURL OUTPUT"
+                curl https://env-${NS}.apps.crc-eph.r9lp.p1.openshiftapps.com/api/pulp-content/default/
+                echo "ROUTES"
+                oc_wrapper get route
+                exit 1
+              }
+
+              cmd_prefix bash -c "HOME=/tmp/home pip3 install pytest\<8"
+              cmd_prefix bash -c "HOME=/tmp/home pip3 install pulp-smash@git+https://github.com/pulp/pulp-smash.git@2ded6671e0f32c51e70681467199e8a195f7f5fe"
+
+              cmd_prefix mkdir -p /tmp/home/.config/pulp_smash
+              cat << EOF >> pulp-smash.json
+              {
+                "pulp": {
+                  "auth": [
+                    "admin",
+                    "password"
+                  ],
+                  "selinux enabled": false,
+                  "version": "3"
+                },
+                "hosts": [
+                  {
+                    "hostname": "pulp-api",
+                    "roles": {
+                      "api": {
+                        "port": 8000,
+                        "scheme": "http",
+                        "service": "nginx"
+                      },
+                      "content": {
+                        "port": 8000,
+                        "scheme": "https",
+                        "service": "pulp-content"
+                      },
+                      "pulp resource manager": {},
+                      "pulp workers": {},
+                      "redis": {},
+                      "shell": {
+                        "transport": "local"
+                      }
+                    }
+                  }
+                ]
+              }
+              EOF
+              sed "s#password#${PASSWORD}#g" pulp-smash.json > pulp-smash.customized.json
+              sed -i "s/pulp-content/env-${NS}.apps.crc-eph.r9lp.p1.openshiftapps.com/g" pulp-smash.customized.json
+
+              echo "PULP-SMASH CONFIG:"
+              cat pulp-smash.customized.json
+
+              curl -o functest_requirements.txt https://raw.githubusercontent.com/pulp/pulp_rpm/main/functest_requirements.txt
+              curl -o unittest_requirements.txt https://raw.githubusercontent.com/pulp/pulp_rpm/main/unittest_requirements.txt
+
+              ### Adapted from ./.github/workflows/scripts/script.sh
+              cat unittest_requirements.txt | cmd_stdin_prefix bash -c "cat > /tmp/unittest_requirements.txt"
+              cat functest_requirements.txt | cmd_stdin_prefix bash -c "cat > /tmp/functest_requirements.txt"
+              cat pulp-smash.customized.json | cmd_stdin_prefix bash -c "cat > /tmp/home/.config/pulp_smash/settings.json"
+              cmd_prefix bash -c "HOME=/tmp/home pip3 install -r /tmp/unittest_requirements.txt -r /tmp/functest_requirements.txt"
+              # Because we pass the path to pytest -o cache_dir=/tmp/home/.cache/pytest_cache, pulpcore-manager must be in the same dir
+              cmd_prefix bash -c "ln -s /usr/local/lib/pulp/bin/pulpcore-manager /tmp/home/.local/bin/pulpcore-manager || /bin/true"
+              echo "CURL OUTPUT"
+              curl https://env-${NS}.apps.crc-eph.r9lp.p1.openshiftapps.com/api/pulp-content/default/
+              echo "ROUTES"
+              oc_wrapper get route
+              set +e
+
               # Run pulp_service functional tests
               cmd_prefix bash -c "HOME=/tmp/home PYTHONPATH=/tmp/home/.local/lib/python3.11/site-packages/ XDG_CONFIG_HOME=/tmp/home/.config API_PROTOCOL=http API_HOST=pulp-api API_PORT=8000 ADMIN_USERNAME=admin ADMIN_PASSWORD=$PASSWORD /tmp/home/.local/bin/pytest -o cache_dir=/tmp/home/.cache/pytest_cache -v -r sx --color=yes --pyargs pulp_service.tests.functional -m 'not parallel' --junitxml=/tmp/home/junit-pulp-serial.xml" || debug_and_fail
 
@@ -800,6 +947,7 @@ spec:
           value: "$(params.SNAPSHOT)"
       runAfter:
         - pulp-functional-tests
+        - pulp-service-functional-tests
       taskSpec:
         params:
           - name: BONFIRE_IMAGE

deploy/clowdapp.yaml

@@ -1175,7 +1175,7 @@ parameters:
     value: "@merge ['django.contrib.auth.backends.RemoteUserBackend','pulp_service.app.authentication.RHSamlAuthentication']"
   - name: PULP_REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES
     description: The default authentication classes for Pulp.
-    value: "['pulp_service.app.authentication.RHServiceAccountCertAuthentication','pulpcore.app.authentication.JSONHeaderRemoteAuthentication','rest_framework.authentication.BasicAuthentication','rest_framework.authentication.SessionAuthentication']"
+    value: "['pulp_service.app.authentication.RHServiceAccountCertAuthentication','pulpcore.app.authentication.JSONHeaderRemoteAuthentication','rest_framework.authentication.BasicAuthentication','rest_framework.authentication.SessionAuthentication','pulp_service.app.authentication.RHEntitlementCertAuthentication']"
   - name: PULP_REST_FRAMEWORK__DEFAULT_PERMISSION_CLASSES
     description: The default permission classes for the REST API
     value: "['pulp_service.app.authorization.DomainBasedPermission']"

images/assets/patches/0023-Add-auth-override-pulp-python.patch

@@ -1,17 +1,17 @@
-From d2578a51b604d478fae11c20fb7bb8da022bf7ce Mon Sep 17 00:00:00 2001
+From 6632cb10ac66d70091b4b42ec0469b963fdcc32d Mon Sep 17 00:00:00 2001
 From: Yasen <[email protected]>
 Date: Fri, 8 Aug 2025 15:44:15 +0200
-Subject: [PATCH] Add auth override to pulp-python SimpleView
+Subject: [PATCH 1/2] Add auth override to pulp-python SimpleView
 
 ---
  pulp_python/app/pypi/views.py | 2 ++
  1 file changed, 2 insertions(+)
 
 diff --git a/pulp_python/app/pypi/views.py b/pulp_python/app/pypi/views.py
-index 79033d4..0e8a747 100644
+index b7808a9..3f44390 100644
 --- a/pulp_python/app/pypi/views.py
 +++ b/pulp_python/app/pypi/views.py
-@@ -220,6 +220,8 @@ class SimpleView(PackageUploadMixin, ViewSet):
+@@ -255,6 +255,8 @@ class SimpleView(PackageUploadMixin, ViewSet):
      """View for the PyPI simple API."""
 
      endpoint_name = "simple"
@@ -21,4 +21,41 @@ index 79033d4..0e8a747 100644
          "statements": [
              {
 -- 
-2.50.1
+2.46.2
+
+
+From 88bb3da0ef0a8ac1c0a51188bd31a7f72f2eb96e Mon Sep 17 00:00:00 2001
+From: git-hyagi <[email protected]>
+Date: Wed, 7 Jan 2026 14:21:13 -0300
+Subject: [PATCH 2/2] Add PublicDomainPermission to SimpleView
+ permission_classes
+
+---
+ pulp_python/app/pypi/views.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pulp_python/app/pypi/views.py b/pulp_python/app/pypi/views.py
+index 3f44390..cf0f596 100644
+--- a/pulp_python/app/pypi/views.py
++++ b/pulp_python/app/pypi/views.py
+@@ -54,6 +54,7 @@ from pulp_python.app.utils import (
+ )
+ 
+ from pulp_python.app import tasks
++from pulp_service.app.authorization import DomainBasedPermission, PublicDomainPermission
+ 
+ log = logging.getLogger(__name__)
+ 
+@@ -255,8 +256,7 @@ class SimpleView(PackageUploadMixin, ViewSet):
+     """View for the PyPI simple API."""
+ 
+     endpoint_name = "simple"
+-    authentication_classes = []
+-    permission_classes = []
++    permission_classes = [PublicDomainPermission|DomainBasedPermission]
+     DEFAULT_ACCESS_POLICY = {
+         "statements": [
+             {
+-- 
+2.46.2
+

pulp_service/pulp_service/app/authorization.py

@@ -4,6 +4,7 @@
 from django.db.models import Q
 import json
 import jq
+from pulpcore.plugin.models import Domain
 from pulpcore.plugin.util import extract_pk, get_domain_pk
 from pulp_service.app.models import DomainOrg
 from rest_framework.permissions import BasePermission
@@ -117,3 +118,26 @@ def get_org_id(self, decoded_header_content):
                 return org_id_json_path.input_value(header_value).first()
             except json.JSONDecodeError:
                 return
+
+
+class PublicDomainPermission(BasePermission):
+    """
+    A Permission Class that grants permission to Domains with public- prefix
+    """
+
+    def has_permission(self, request, view):
+        # Only allow GET requests
+        if request.method != "GET":
+            return False
+
+        try:
+            domain_pk = get_domain_pk()
+            domain = Domain.objects.get(pk=domain_pk)
+            if domain.name.startswith("public-"):
+                return True
+        except Exception:
+            # If we can't get the domain, deny access
+            return False
+
+        # Not a public domain
+        return False

pulp_service/pulp_service/tests/functional/conftest.py

@@ -40,3 +40,34 @@ def _gen_group(name=None):
             pulpcore_bindings.GroupsApi, {"name": name}
         )
     return _gen_group
+
+
+@pytest.fixture()
+def cleanup_auth_headers(request, pulpcore_bindings):
+    """
+    Automatically clean up x-rh-identity headers before each test.
+
+    This prevents authentication headers from leaking between tests
+    and affecting other test results.
+    """
+    # Clean up after the test runs
+    if hasattr(pulpcore_bindings, "DomainsApi"):
+        pulpcore_bindings.DomainsApi.api_client.default_headers.pop("x-rh-identity", None)
+
+    # Try to clean up file_bindings if it was used in the test
+    if "file_bindings" in request.fixturenames:
+        file_bindings = request.getfixturevalue("file_bindings")
+        if hasattr(file_bindings, "RepositoriesFileApi"):
+            file_bindings.RepositoriesFileApi.api_client.default_headers.pop("x-rh-identity", None)
+
+    # Try to clean up python_bindings if it was used in the test
+    if "python_bindings" in request.fixturenames:
+        python_bindings = request.getfixturevalue("python_bindings")
+        if hasattr(python_bindings, "RepositoriesPythonApi"):
+            python_bindings.RepositoriesPythonApi.api_client.default_headers.pop(
+                "x-rh-identity", None
+            )
+        if hasattr(python_bindings, "DistributionsPypiApi"):
+            python_bindings.DistributionsPypiApi.api_client.default_headers.pop(
+                "x-rh-identity", None
+            )