Switch push created repo to ContainerRepository

https://redhat.atlassian.net/browse/PULP-1748
Assisted by: cursor composer 2

Author: gerrod3

CHANGES/+default-push-repo.feature

@@ -0,0 +1 @@
+Changed the default created repository on push to be a ContainerRepository instead of a ContainerPushRepository. ContainerPushRepository will eventually be phased out in future releases.

docs/admin/learn/rbac.md

@@ -349,8 +349,15 @@ repository is public, then anyone can `pull` from the repository.
 Distributions are Pulp resources that represent URLs where repositories can be consumed.
 Permissions for accessing specific container repositories are described in terms of permissions
 to access Container Distributions. Each time a new repository is pushed using `podman` or `docker`,
-a Container Distribution is created. There is also a Container Push Repository created. Both of
-these resources can be accessed using Pulp's API.
+a Container Distribution and a Container Repository are created. Both resources can be accessed
+using Pulp's API. Registry-pushed repositories inherit distribution and namespace permissions for
+read and content-modifying API actions.
+
+!!! note
+
+    Older versions of pulp-container created Container Push Repositories on docker pushes. Legacy
+    pushes still remain available under `/pulp/api/v3/repositories/container/container-push/`, but
+    will be migrated to Container Repositories in a future release.
 
 The creation of a new distribution creates three user groups that can access the distribution:
 Owners, Collaborators, and Consumers. The user that creates the distribution is automatically added to
@@ -369,17 +376,10 @@ object permissions for the Distribution:
 "container.change_containerdistribution"
 ```
 
-The Owners group also has the following permissions for the Container Push Repository associated
-with the Distribution:
-
-```
-"container.view_containerpushrepository"
-"container.modify_content_containerpushrepository"
-```
-
-The owners of a Container Distribution have the ability to update and delete the repository
-associated with the Distribution. They can also add/remove users from the groups associated with
-the distribution.
+Distribution roles grant access to the linked Container Repository through the distribution and
+namespace permission checks described above. Distribution owners can update and delete the
+repository associated with the distribution. They can also add/remove users from the roles
+associated with the distribution.
 
 #### Distribution Collaborators
 
@@ -392,14 +392,6 @@ following object permissions for the Distribution:
 "container.push_containerdistribution"
 ```
 
-The Collaborators group also has the following permissions for the Container Push Repository associated
-with the Distribution:
-
-```
-"container.view_containerpushrepository"
-"container.modify_content_containerpushrepository"
-```
-
 Users in the Collaborator group can do everything that the owners can, with the exception for deleting
 the Distribution.
 
@@ -413,14 +405,7 @@ object permissions for the distribution:
 "container.pull_containerdistribution"
 ```
 
-The Consumers group also has the following permissions for the Container Push Repository associated
-with the Distribution:
-
-```
-"container.view_containerpushrepository"
-```
-
-Users in the Consumers group can the `pull` the repository. Users should only need to be added to
+Users in the Consumers group can `pull` the repository. Users should only need to be added to
 this group if the Distribution has been configured with `private=True`. If the Distribution is
 public, then anyone can `pull` from the repository associated with the Distribution.
 
@@ -484,8 +469,10 @@ permission on the Distribution:
 ```
 
 Users that wish to be able to access the repository associated with the distribution with Pulp's
-API need the following object level permission on the Container Push Repository:
+API need one of the following:
 
 ```
-"container.view_containerpushrepository"
+"container.view_containerrepository" (object-level repository role), or
+"container.view_containerdistribution" (distribution consumer role or above), or
+"container.namespace_view_containerdistribution" (namespace consumer role or above)
 ```

pulp_container/app/authorization.py

@@ -295,7 +295,6 @@ def has_push_permissions(self, path):
         if not domain:
             return False
 
-        print("Checking push permissions for path ", path, "and domain ", domain.name)
         try:
             distribution = ContainerDistribution.objects.get(base_path=path, pulp_domain=domain)
         except ContainerDistribution.DoesNotExist:

pulp_container/app/global_access_conditions.py

@@ -28,9 +28,10 @@ def has_namespace_obj_perms(request, view, action, permission):
     if type(obj) is models.ContainerDistribution:
         namespace = obj.namespace
         return request.user.has_perm(permission, namespace)
-    elif type(obj) is models.ContainerPushRepository:
+    elif type(obj) is models.ContainerPushRepository or type(obj) is models.ContainerRepository:
         for dist in obj.distributions.all():
-            if request.user.has_perm(permission, dist.cast().namespace):
+            namespace = dist.cast().namespace
+            if namespace and request.user.has_perm(permission, namespace):
                 return True
     elif type(obj) is models.ContainerPullThroughDistribution:
         namespace = obj.namespace

pulp_container/app/registry_api.py

@@ -45,7 +45,13 @@
 from pulpcore.plugin import pulp_hashlib
 from pulpcore.plugin.exceptions import TimeoutException
 from pulpcore.plugin.files import PulpTemporaryUploadedFile
-from pulpcore.plugin.models import Artifact, ContentArtifact, RemoteArtifact, UploadChunk
+from pulpcore.plugin.models import (
+    Artifact,
+    ContentArtifact,
+    RemoteArtifact,
+    Repository,
+    UploadChunk,
+)
 from pulpcore.plugin.tasking import dispatch
 from pulpcore.plugin.util import get_domain, get_objects_for_user, get_url
 
@@ -436,11 +442,9 @@ def get_dr_push(self, request, path, create=False):
             repository = distribution.repository
             if repository:
                 repository = repository.cast()
-                if not repository.PUSH_ENABLED:
-                    raise RepositoryInvalid(name=path, message="Repository is read-only.")
             elif create:
                 with transaction.atomic():
-                    repository = serializers.ContainerPushRepositorySerializer.get_or_create(
+                    repository = serializers.ContainerRepositorySerializer.get_or_create(
                         {"name": path, "pulp_domain": domain}
                     )
                     distribution.repository = repository
@@ -451,11 +455,22 @@ def get_dr_push(self, request, path, create=False):
 
     def create_dr(self, path, request):
         domain = get_domain()
+        repository_types = [
+            models.ContainerRepository.get_pulp_type(),
+            models.ContainerPushRepository.get_pulp_type(),
+        ]
         with transaction.atomic():
             try:
-                repository = serializers.ContainerPushRepositorySerializer.get_or_create(
-                    {"name": path, "pulp_domain": domain}
-                )
+                # Handle new default of ContainerRepository and fallback old ContainerPushRepository
+                repository = Repository.objects.filter(name=path, pulp_domain=domain).first()
+                if repository:
+                    if repository.pulp_type not in repository_types:
+                        raise RepositoryInvalid(name=path, message="Repository is read-only.")
+                    repository = repository.cast()
+                else:
+                    repository = serializers.ContainerRepositorySerializer.get_or_create(
+                        {"name": path, "pulp_domain": domain}
+                    )
                 distribution = serializers.ContainerDistributionSerializer.get_or_create(
                     {"base_path": path, "name": path, "pulp_domain": domain},
                     {"repository": get_url(repository)},
@@ -464,9 +479,10 @@ def create_dr(self, path, request):
                 raise RepositoryInvalid(name=path, message="Repository is read-only.")
 
             if distribution.repository:
-                dist_repository = distribution.repository.cast()
-                if not dist_repository.PUSH_ENABLED or repository != dist_repository:
-                    raise RepositoryInvalid(name=path, message="Repository is read-only.")
+                if repository.pk != distribution.repository.pk:
+                    raise RepositoryInvalid(
+                        name=path, message="Repository is not available for push."
+                    )
             else:
                 distribution.repository = repository
                 distribution.save()

pulp_container/app/serializers.py

@@ -250,7 +250,7 @@ class Meta:
         model = models.ContainerNamespace
 
 
-class ContainerRepositorySerializer(RepositorySerializer):
+class ContainerRepositorySerializer(RepositorySerializer, GetOrCreateSerializerMixin):
     """
     Serializer for Container Repositories.
     """