Add support for release overrides to signed_add_and_remove

Author: daviddavis

pulp_deb/app/models/repository.py

@@ -1,4 +1,5 @@
 from django.db import models
+from django.utils.functional import cached_property
 
 from pulpcore.plugin.models import (
     AutoAddObjPermsMixin,
@@ -131,13 +132,21 @@ def release_package_signing_fingerprint(self, release):
         """
         if isinstance(release, Release):
             release = release.distribution
-        try:
-            override = self.package_signing_fingerprint_release_overrides.get(
-                release_distribution=release
-            )
-            return override.package_signing_fingerprint
-        except AptRepositoryReleasePackageSigningFingerprintOverride.DoesNotExist:
+        if not release:
             return self.package_signing_fingerprint
+        return self.package_signing_fingerprint_release_overrides_map.get(
+            release, self.package_signing_fingerprint
+        )
+
+    @cached_property
+    def package_signing_fingerprint_release_overrides_map(self):
+        """
+        Cached mapping of release distributions to package signing fingerprints.
+        """
+        return {
+            override.release_distribution: override.package_signing_fingerprint
+            for override in self.package_signing_fingerprint_release_overrides.all()
+        }
 
     def initialize_new_version(self, new_version):
         """

pulp_deb/app/serializers/repository_serializers.py

@@ -42,7 +42,7 @@ def to_representation(self, overrides):
 
 
 class PackageFingerprintOverrideField(serializers.DictField):
-    child = serializers.CharField(max_length=40)
+    child = serializers.CharField(max_length=40, allow_blank=True)
 
     def to_representation(self, overrides):
         return {x.release_distribution: x.package_signing_fingerprint for x in overrides.all()}

pulp_deb/app/tasks/signing.py

@@ -1,6 +1,8 @@
 from pathlib import Path
 from tempfile import NamedTemporaryFile
 
+from django.db.models import Q
+
 from pulpcore.plugin.models import (
     Upload,
     UploadChunk,
@@ -21,6 +23,11 @@
 )
 from pulp_deb.app.models import AptRepository, Package, PackageReleaseComponent
 
+import logging
+from gettext import gettext as _
+
+log = logging.getLogger(__name__)
+
 
 def _save_file(fileobj, final_package):
     with fileobj.file.open() as fd:
@@ -37,6 +44,9 @@ def _save_upload(uploadobj, final_package):
 
 
 def _sign_file(package_file, signing_service, signing_fingerprint):
+    logging.info(
+        _("Signing package %s with fingerprint %s"), package_file.name, signing_fingerprint
+    )
     result = signing_service.sign(package_file.name, pubkey_fingerprint=signing_fingerprint)
     signed_package_path = Path(result["deb_package"])
     if not signed_package_path.exists():
@@ -120,12 +130,23 @@ def signed_add_and_remove(
     repo = AptRepository.objects.get(pk=repository_pk)
 
     if repo.package_signing_service:
+        # map packages to releases
+        prcs = PackageReleaseComponent.objects.filter(
+            Q(pk__in=add_content_units) | Q(pk__in=repo.content.all())
+        ).select_related("package", "release_component")
+        package_release_map = {prc.package_id: prc.release_component.distribution for prc in prcs}
+
         # sign each package and replace it in the add_content_units list
         for package in Package.objects.filter(pk__in=add_content_units):
             content_artifact = package.contentartifact_set.first()
             artifact_obj = content_artifact.artifact
             package_id = package.pk
 
+            # match the package's release to a fingerprint override if one exists
+            fingerprint = repo.release_package_signing_fingerprint(
+                package_release_map.get(package_id)
+            )
+
             with NamedTemporaryFile(mode="wb", dir=".", delete=False) as final_package:
                 artifact_file = artifact_obj.file
                 _save_file(artifact_file, final_package)
@@ -137,15 +158,13 @@ def signed_add_and_remove(
                 # check if the package has been signed in the past with our fingerprint
                 if existing_result := DebPackageSigningResult.objects.filter(
                     sha256=content_artifact.artifact.sha256,
-                    package_signing_fingerprint=repo.package_signing_fingerprint,
+                    package_signing_fingerprint=fingerprint,
                 ).first():
                     _update_content_units(add_content_units, package_id, existing_result.result.pk)
                     continue
 
                 # create a new signed version of the package
-                artifact = _sign_file(
-                    final_package, repo.package_signing_service, repo.package_signing_fingerprint
-                )
+                artifact = _sign_file(final_package, repo.package_signing_service, fingerprint)
                 signed_package = package
                 signed_package.pk = None
                 signed_package.pulp_id = None