Nail down a few additional differences between pulp_rust and crates.io

Validate semver formatting and treat the comparison correctly

Warn users about keeping private registries on the same domain as public
indexes.

Add some additional tests

Assisted-By: claude-opus-4.6

Author: dralley

docs/user/guides/private-registry.md

@@ -173,6 +173,22 @@ my-internal-lib = { version = "1.0", registry = "my-crates" }  # resolved from p
     attacks, where an attacker publishes a crate on the public registry with the same name as one
     of your private crates.
 
+## Crate Name Handling
+
+Crate names in the Cargo spec are case-insensitive, and hyphens and underscores are treated as
+equivalent (e.g. `my-crate` and `my_crate` refer to the same package). Pulp enforces this:
+publishing `my-crate` when `my_crate` already exists in the same repository is rejected as a
+duplicate. Yank and unyank operations use the same matching.
+
+!!! warning "Domain Isolation"
+    Pulp shares content objects globally within a
+    [domain](https://docs.pulpproject.org/pulpcore/configuration/domains.html). A crate name
+    collision between a private registry and a pull-through cache in the same domain could allow
+    an upstream crate to shadow a private one (a form of
+    [dependency confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)).
+    To mitigate this, consider placing private registries and public pull-through caches in
+    **separate Pulp domains** so their content namespaces are fully isolated.
+
 ## Further Reading
 
 - [Cargo registries configuration](https://doc.rust-lang.org/cargo/reference/registries.html) -- configuring alternate registries in Cargo

pulp_rust/app/migrations/0001_initial.py

@@ -19,6 +19,7 @@ class Migration(migrations.Migration):
             fields=[
                 ('content_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='core.content')),
                 ('name', models.CharField(db_index=True, max_length=255)),
+                ('canonical_name', models.CharField(db_index=True, max_length=255)),
                 ('vers', models.CharField(db_index=True, max_length=64)),
                 ('cksum', models.CharField(db_index=True, max_length=64)),
                 ('features', models.JSONField(blank=True, default=dict)),
@@ -30,7 +31,7 @@ class Migration(migrations.Migration):
             ],
             options={
                 'default_related_name': '%(app_label)s_%(model_name)s',
-                'unique_together': {('name', 'vers', '_pulp_domain')},
+                'unique_together': {('name', 'vers', 'cksum', '_pulp_domain')},
             },
             bases=('core.content',),
         ),

pulp_rust/app/models.py

@@ -5,7 +5,11 @@
 from django.db import models
 from django_lifecycle import hook, AFTER_CREATE
 
-from pulp_rust.app.utils import extract_cargo_toml, extract_dependencies
+from pulp_rust.app.utils import (
+    canonicalize_crate_name,
+    extract_cargo_toml,
+    extract_dependencies,
+)
 
 from pulpcore.plugin.models import (
     Content,
@@ -55,8 +59,25 @@ class RustContent(Content):
     Cargo registry index specification. Each instance corresponds to one line
     in a package's index file.
 
+    The `name` field preserves the original crate name as it appears in the
+    package's `Cargo.toml` (e.g. `cfg-if`, `Serde-JSON`).  This matches
+    crates.io behavior and ensures that download paths and index entries use
+    the author's intended name form.
+
+    The `canonical_name` field stores the canonical form (lowercased, hyphens
+    replaced with underscores) for use in lookups where the Cargo spec's
+    case-insensitive, hyphen/underscore-equivalent matching is needed - for
+    example, duplicate detection during publish and yank operations.
+
+    Content uniqueness is enforced on `(name, vers, cksum, _pulp_domain)`.
+    Including `cksum` allows different crates with the same name and version
+    (e.g. a private crate and a public crate) to coexist as separate content
+    objects within a domain, while `repo_key_fields` prevents both from
+    appearing in the same repository version.
+
     Fields:
-        name: The package name (crate name)
+        name: The package name as it appears in Cargo.toml
+        canonical_name: Canonical form (lowercased, hyphens -> underscores)
         vers: The semantic version string (SemVer 2.0.0)
         cksum: SHA256 checksum of the .crate file (tarball)
         features: JSON object mapping feature names to their dependencies
@@ -69,9 +90,15 @@ class RustContent(Content):
     TYPE = "rust"
     repo_key_fields = ("name", "vers")
 
-    # Package name - alphanumeric characters, hyphens, and underscores allowed
+    # Package name as it appears in the crate's Cargo.toml.
     name = models.CharField(max_length=255, blank=False, null=False, db_index=True)
 
+    # Canonical form of the name: lowercased with hyphens replaced by underscores.
+    # Used for lookups where the Cargo spec's case-insensitive,
+    # hyphen/underscore-equivalent matching is needed (e.g. duplicate detection,
+    # yank operations).
+    canonical_name = models.CharField(max_length=255, blank=False, null=False, db_index=True)
+
     # Semantic version string following SemVer 2.0.0 specification
     vers = models.CharField(max_length=64, blank=False, null=False, db_index=True)
 
@@ -115,6 +142,7 @@ def init_from_artifact_and_relative_path(artifact, relative_path):
 
         content = RustContent(
             name=crate_name,
+            canonical_name=canonicalize_crate_name(crate_name),
             vers=version,
             cksum=artifact.sha256,
             features=cargo_toml.get("features", {}),
@@ -136,7 +164,11 @@ def _create_dependencies_from_parsed_data(self):
 
     class Meta:
         default_related_name = "%(app_label)s_%(model_name)s"
-        unique_together = (("name", "vers", "_pulp_domain"),)
+        # cksum is included so that different crates with the same canonical
+        # name and version (e.g. a private crate vs a public crate of the
+        # same name) can coexist within a domain.  repo_key_fields still
+        # prevents both from appearing in the same repository version.
+        unique_together = (("name", "vers", "cksum", "_pulp_domain"),)
 
 
 class RustDependency(models.Model):
@@ -277,6 +309,7 @@ class RustPackageYank(Content):
 
     name = models.CharField(max_length=255, db_index=True)
     vers = models.CharField(max_length=64, db_index=True)
+
     _pulp_domain = models.ForeignKey("core.Domain", default=get_domain_pk, on_delete=models.PROTECT)
 
     class Meta:

pulp_rust/app/serializers.py

@@ -7,6 +7,7 @@
 from pulpcore.plugin import serializers as core_serializers
 
 from . import models
+from .utils import canonicalize_crate_name
 
 log = logging.getLogger(__name__)
 
@@ -153,6 +154,7 @@ class RustContentSerializer(core_serializers.SingleArtifactContentSerializer):
     def create(self, validated_data):
         """Create RustContent and related dependencies."""
         dependencies_data = validated_data.pop("dependencies", [])
+        validated_data["canonical_name"] = canonicalize_crate_name(validated_data["name"])
         content = super().create(validated_data)
 
         # Create dependency records

pulp_rust/app/tasks/publishing.py

@@ -1,11 +1,18 @@
 import hashlib
 import struct
 
+from django.db import IntegrityError
+
 from pulpcore.plugin.models import Artifact, ContentArtifact
 from pulpcore.plugin.tasking import aadd_and_remove
 
 from pulp_rust.app.models import RustContent, RustDependency, RustRepository
-from pulp_rust.app.utils import extract_cargo_toml, extract_dependencies
+from pulp_rust.app.utils import (
+    canonicalize_crate_name,
+    extract_cargo_toml,
+    extract_dependencies,
+    strip_semver_build_metadata,
+)
 
 
 def parse_cargo_publish_body(body):
@@ -55,15 +62,19 @@ async def apublish_package(repository_pk, metadata, crate_path):
     """
     repository = await RustRepository.objects.aget(pk=repository_pk)
 
-    # Create the artifact from the .crate file
+    # Create the artifact from the .crate file, or reuse an existing one
+    # with the same checksum (Artifact has a unique constraint on digests).
     with open(crate_path, "rb") as f:
         cksum = hashlib.sha256(f.read()).hexdigest()
 
     artifact = Artifact.init_and_validate(crate_path, expected_digests={"sha256": cksum})
-    await artifact.asave()
+    try:
+        await artifact.asave()
+    except IntegrityError:
+        artifact = await Artifact.objects.aget(sha256=cksum)
 
     # Extract authoritative metadata from the Cargo.toml inside the .crate tarball.
-    # The publish JSON metadata is NOT authoritative — a rogue client can send metadata
+    # The publish JSON metadata is NOT authoritative - a rogue client can send metadata
     # that doesn't match the actual package. We only use the JSON name/vers to locate the
     # Cargo.toml within the tarball, then extract everything from the Cargo.toml itself.
     # See: https://github.com/rust-lang/cargo/issues/14492
@@ -72,34 +83,52 @@ async def apublish_package(repository_pk, metadata, crate_path):
     package = cargo_toml.get("package", {})
 
     name = package["name"]
-    vers = package["version"]
+    canonical_name = canonicalize_crate_name(name)
+    # Strip build metadata - SemVer 2.0.0 treats versions differing only in
+    # build metadata as identical, and the index must not contain duplicates.
+    vers = strip_semver_build_metadata(package["version"])
 
     # Build dependency list from the Cargo.toml (authoritative source)
     deps = extract_dependencies(cargo_toml)
 
-    # Create the content record
-    content = RustContent(
+    # Reuse existing content if it already exists in the domain with the same
+    # checksum (e.g. from a pull-through cache or another repository's publish).
+    # Content in Pulp is globally shared - the same object can belong to
+    # multiple repositories.  Including cksum in the lookup allows different
+    # crates with the same name+version (e.g. a private crate shadowing a
+    # public one) to coexist as separate content objects within a domain.
+    content = await RustContent.objects.filter(
         name=name,
         vers=vers,
         cksum=cksum,
-        features=cargo_toml.get("features", {}),
-        features2=None,
-        links=package.get("links"),
-        rust_version=package.get("rust-version"),
         _pulp_domain_id=repository.pulp_domain_id,
-    )
-    await content.asave()
-
-    # Create dependencies
-    if deps:
-        await RustDependency.objects.abulk_create(
-            [RustDependency(content=content, **dep) for dep in deps]
+    ).afirst()
+
+    if content is None:
+        content = RustContent(
+            name=name,
+            canonical_name=canonical_name,
+            vers=vers,
+            cksum=cksum,
+            features=cargo_toml.get("features", {}),
+            features2=None,
+            links=package.get("links"),
+            rust_version=package.get("rust-version"),
+            _pulp_domain_id=repository.pulp_domain_id,
         )
+        await content.asave()
+
+        if deps:
+            await RustDependency.objects.abulk_create(
+                [RustDependency(content=content, **dep) for dep in deps]
+            )
 
-    # Create the content artifact (links the .crate file to the content)
+    # Create the content artifact if it doesn't already exist
     relative_path = f"{name}/{name}-{vers}.crate"
-    await ContentArtifact.objects.acreate(
-        artifact=artifact, content=content, relative_path=relative_path
+    await ContentArtifact.objects.aget_or_create(
+        content=content,
+        relative_path=relative_path,
+        defaults={"artifact": artifact},
     )
 
     # Add the content to a new repository version

pulp_rust/app/tasks/yanking.py

@@ -1,6 +1,7 @@
 from pulpcore.plugin.tasking import aadd_and_remove
 
 from pulp_rust.app.models import RustContent, RustPackageYank, RustRepository
+from pulp_rust.app.utils import canonicalize_crate_name
 
 
 async def ayank_package(repository_pk, name, vers):
@@ -9,11 +10,14 @@ async def ayank_package(repository_pk, name, vers):
 
     Creates a new repository version with the yank marker added.
     """
+    name = canonicalize_crate_name(name)
     repository = await RustRepository.objects.aget(pk=repository_pk)
     latest = await repository.alatest_version()
 
     # Verify the package version exists in this repository
-    exists = await RustContent.objects.filter(pk__in=latest.content, name=name, vers=vers).aexists()
+    exists = await RustContent.objects.filter(
+        pk__in=latest.content, canonical_name=name, vers=vers
+    ).aexists()
     if not exists:
         raise ValueError(f"Package {name}=={vers} not found in repository")
 
@@ -25,7 +29,9 @@ async def ayank_package(repository_pk, name, vers):
         return  # Already yanked, no-op
 
     yank_marker, _ = await RustPackageYank.objects.aget_or_create(
-        name=name, vers=vers, _pulp_domain_id=repository.pulp_domain_id
+        name=name,
+        vers=vers,
+        _pulp_domain_id=repository.pulp_domain_id,
     )
 
     await aadd_and_remove(
@@ -41,6 +47,7 @@ async def aunyank_package(repository_pk, name, vers):
 
     Creates a new repository version with the yank marker removed.
     """
+    name = canonicalize_crate_name(name)
     repository = await RustRepository.objects.aget(pk=repository_pk)
     latest = await repository.alatest_version()
 

pulp_rust/app/utils.py

@@ -1,3 +1,4 @@
+import re
 import tarfile
 
 try:
@@ -88,3 +89,65 @@ def extract_dependencies(cargo_toml):
             deps.append(parse_dep(name, spec, kind="build", target=target))
 
     return deps
+
+
+CRATE_NAME_MAX_LENGTH = 64
+CRATE_NAME_RE = re.compile(r"^[a-zA-Z][a-zA-Z0-9_-]*$")
+SEMVER_RE = re.compile(
+    r"^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)"
+    r"(-[0-9a-zA-Z-]+(\.[0-9a-zA-Z-]+)*)?"
+    r"(\+[0-9a-zA-Z-]+(\.[0-9a-zA-Z-]+)*)?$"
+)
+
+
+def validate_crate_name(name):
+    """Validate a crate name.
+
+    Enforces the following rules:
+    - Must start with an ASCII letter and contain only ASCII alphanumeric
+      characters, hyphens, or underscores (Cargo spec, via ``cargo new``).
+    - Must not exceed 64 characters (crates.io policy, not in the Cargo spec).
+
+    Returns None if valid, or an error message string if invalid.
+    """
+    if not name:
+        return "crate name must not be empty"
+    if len(name) > CRATE_NAME_MAX_LENGTH:
+        return f"crate name exceeds maximum length of {CRATE_NAME_MAX_LENGTH} characters"
+    if not CRATE_NAME_RE.match(name):
+        return (
+            "crate name must start with an ASCII letter and contain only "
+            "ASCII alphanumeric characters, hyphens, or underscores"
+        )
+    return None
+
+
+def validate_crate_version(version):
+    """Validate a crate version per SemVer 2.0.0 (required by Cargo spec).
+
+    Returns None if valid, or an error message string if invalid.
+    """
+    if not version:
+        return "crate version must not be empty"
+    if not SEMVER_RE.match(version):
+        return f"invalid semver: `{version}` " "(expected MAJOR.MINOR.PATCH[-prerelease][+build])"
+    return None
+
+
+def strip_semver_build_metadata(version):
+    """Strip build metadata from a SemVer version string.
+
+    Per SemVer 2.0.0, versions that differ only in build metadata have equal
+    precedence.  The Cargo registry spec requires that indexes treat such
+    versions as identical (e.g. ``1.0.0`` and ``1.0.0+build1`` must collide).
+    """
+    return version.split("+", 1)[0]
+
+
+def canonicalize_crate_name(name):
+    """Canonicalize a crate name for uniqueness comparison.
+
+    Crate names are case-insensitive and hyphens and underscores are treated
+    as equivalent (Cargo spec).
+    """
+    return name.lower().replace("-", "_")