Fix numerous flatpak issues

gerrod3 · dralley · commit 1f08cebbc215 · 2026-04-28T14:05:51.000-04:00
https://redhat.atlassian.net/browse/PULP-1633 - Fix flatpak index cache serialization on pulpcore>=3.85 - Add domain prefix to flatpak index Name field via get_full_path - Fix FlatpakIndexStaticCache key to include host, preventing cross-domain cache collisions - Fix OS/architecture filters being silently dropped in recurse_through_manifest_lists - Make test_flatpak_install domain-aware using the full_path fixture - Fix host generation in index response when CONTENT_ORIGIN=None - Fix CI TLS setup to use cp cert to the anchor location so flatpak/OSTree trusts the Pulp CA Made-with: Cursor
diff --git a/.github/workflows/scripts/post_before_script.sh b/.github/workflows/scripts/post_before_script.sh
@@ -2,13 +2,9 @@ SCENARIOS=("pulp" "performance" "azure" "gcp" "s3" "generate-bindings" "lowerbou
 if [[ " ${SCENARIOS[*]} " =~ " ${TEST} " ]]; then
   # Needed by pulp_container/tests/functional/api/test_flatpak.py:
   cmd_prefix dnf install -yq dbus-daemon flatpak
-fi
 
-# This allows flatpak to trust Pulp, but currently it breaks the trust for bindings
-# TODO: Figure out another command to fix this
-# add the copied certificates from install.sh to the container's trusted certificates list
-# if [[ "$TEST" = "azure" ]]; then
-#   cmd_prefix trust anchor /etc/pki/tls/cert.pem
-# else
-#   cmd_prefix trust anchor /etc/pulp/certs/pulp_webserver.crt
-# fi
+  # DO NOT CALL update-ca-trust, it will break the bindings TLS
+  # This copy is for the flatpak tests, flatpak uses pk11-kit which checks the source anchors
+  # to build the trust chain, it doesn't actually use the output of update-ca-trust
+  cmd_prefix cp /etc/pulp/certs/pulp_webserver.crt /etc/pki/ca-trust/source/anchors/pulp_webserver.crt
+fi
diff --git a/CHANGES/+flatpak-cache-key.bugfix b/CHANGES/+flatpak-cache-key.bugfix
@@ -0,0 +1 @@
+Fixed a cache key collision in the flatpak static index that could serve incorrect results across domains.
diff --git a/CHANGES/+flatpak-domain-name.bugfix b/CHANGES/+flatpak-domain-name.bugfix
@@ -0,0 +1 @@
+Fixed flatpak index response to include the domain prefix in image names when domains are enabled.
diff --git a/CHANGES/+flatpak-index-cache.bugfix b/CHANGES/+flatpak-index-cache.bugfix
@@ -0,0 +1 @@
+Fixed a serialization issue with the FlatpakIndex cache.
diff --git a/CHANGES/+flatpak-manifest-list-filter.bugfix b/CHANGES/+flatpak-manifest-list-filter.bugfix
@@ -0,0 +1 @@
+Fixed OS and architecture filters being silently ignored when filtering manifest lists in the flatpak index.
diff --git a/CHANGES/+flatpak-registry-host.bugfix b/CHANGES/+flatpak-registry-host.bugfix
@@ -0,0 +1 @@
+Fixed the registry host in the flatpak index response when `CONTENT_ORIGIN=None`.
diff --git a/pulp_container/app/cache.py b/pulp_container/app/cache.py
@@ -97,14 +97,15 @@ def find_base_path_cached(request, cached):
 
 class FlatpakIndexStaticCache(SyncContentCache):
     def __init__(self, expires_ttl=None, auth=None):
-        updated_keys = (QUERY_KEY,)
+        updated_keys = (CacheKeys.host, QUERY_KEY)
         super().__init__(
             base_key="/index/static", expires_ttl=expires_ttl, keys=updated_keys, auth=auth
         )
 
     def make_key(self, request):
-        """Make a key composed of the request's query."""
+        """Make a key composed of the request's host and query."""
         all_keys = {
+            CacheKeys.host: request.get_host(),
             QUERY_KEY: request.query_params.urlencode(),
         }
         key = ":".join(all_keys[k] for k in self.keys)
diff --git a/pulp_container/app/registry_api.py b/pulp_container/app/registry_api.py
@@ -593,9 +593,9 @@ def recurse_through_manifest_lists(self, tag, manifest, oss, architectures, mani
         elif manifest.media_type in (models.MEDIA_TYPE.MANIFEST_LIST, models.MEDIA_TYPE.INDEX_OCI):
             mlms = manifest.listed_manifests.through.objects.filter(image_manifest__pk=manifest.pk)
             if oss:
-                mlms.filter(os__in=oss)
+                mlms = mlms.filter(os__in=oss)
             if architectures:
-                mlms.filter(architecture__in=architectures)
+                mlms = mlms.filter(architecture__in=architectures)
             for mlm in mlms:
                 self.recurse_through_manifest_lists(
                     tag, mlm.manifest_list, oss, architectures, manifests
@@ -705,7 +705,7 @@ def get(self, request):
                     continue
                 images.append(
                     {
-                        "Tags": tagged,
+                        "Tags": list(tagged),
                         "Digest": manifest.digest,
                         "MediaType": manifest.media_type,
                         "OS": os,
@@ -714,9 +714,14 @@ def get(self, request):
                     }
                 )
             if images:
-                results.append({"Name": distribution.base_path, "Images": images})
+                results.append(
+                    {
+                        "Name": get_full_path(distribution.base_path, distribution.pulp_domain),
+                        "Images": images,
+                    }
+                )
 
-        host = settings.CONTENT_ORIGIN or request.get_host()
+        host = settings.CONTENT_ORIGIN or request.build_absolute_uri("/")
         return Response(data={"Registry": host, "Results": results})
 
 
diff --git a/pulp_container/tests/functional/api/test_flatpak.py b/pulp_container/tests/functional/api/test_flatpak.py
@@ -6,8 +6,6 @@
 
 from pulp_container.tests.functional.constants import REGISTRY_V2
 
-pytestmark = pytest.mark.skip(reason="TLS is broken currently. TODO: Fix")
-
 
 def run_flatpak_commands(host):
     # Install flatpak:
@@ -16,6 +14,7 @@ def run_flatpak_commands(host):
             "flatpak",
             "--user",
             "remote-add",
+            "--if-not-exists",
             "pulptest",
             "oci+" + host,
         ]
@@ -67,16 +66,21 @@ def test_flatpak_install(
     container_manifest_api,
     pulp_settings,
     bindings_cfg,
+    full_path,
 ):
     if not pulp_settings.FLATPAK_INDEX:
         pytest.skip("This test requires FLATPAK_INDEX to be enabled")
 
     image_path1 = f"{REGISTRY_V2}/pulp/oci-net.fishsoup.busyboxplatform:latest"
     registry_client.pull(image_path1)
-    local_registry.tag_and_push(image_path1, "pulptest/oci-net.fishsoup.busyboxplatform:latest")
+    local_registry.tag_and_push(
+        image_path1, full_path("pulptest/oci-net.fishsoup.busyboxplatform") + ":latest"
+    )
     image_path2 = f"{REGISTRY_V2}/pulp/oci-net.fishsoup.hello:latest"
     registry_client.pull(image_path2)
-    local_registry.tag_and_push(image_path2, "pulptest/oci-net.fishsoup.hello:latest")
+    local_registry.tag_and_push(
+        image_path2, full_path("pulptest/oci-net.fishsoup.hello") + ":latest"
+    )
     namespace = container_namespace_api.list(name="pulptest").results[0]
     add_to_cleanup(container_namespace_api, namespace.pulp_href)
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Fixed a cache key collision in the flatpak static index that could serve incorrect results across domains.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Fixed flatpak index response to include the domain prefix in image names when domains are enabled.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Fixed a serialization issue with the FlatpakIndex cache.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Fixed OS and architecture filters being silently ignored when filtering manifest lists in the flatpak index.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Fixed the registry host in the flatpak index response when `CONTENT_ORIGIN=None`.