From 83fb1abf029e7f3a0f5377eff980efccc087a493 Mon Sep 17 00:00:00 2001
From: Daniel Alley <dalley@redhat.com>
Date: Thu, 2 Apr 2026 10:50:40 -0400
Subject: [PATCH] Add cargo publish support

Assisted-By: claude-opus-4.6
---
 README.md                                     |   1 -
 pulp_rust/app/tasks/__init__.py               |   1 +
 pulp_rust/app/tasks/publishing.py             | 110 ++++++++++
 pulp_rust/app/urls.py                         |  12 +-
 pulp_rust/app/views.py                        | 110 +++++++++-
 .../tests/functional/api/test_publish.py      | 205 ++++++++++++++++++
 pulp_rust/tests/functional/api/test_upload.py |  84 +++++++
 pulp_rust/tests/functional/utils.py           |  17 ++
 8 files changed, 533 insertions(+), 7 deletions(-)
 create mode 100644 pulp_rust/app/tasks/publishing.py
 create mode 100644 pulp_rust/tests/functional/api/test_publish.py
 create mode 100644 pulp_rust/tests/functional/api/test_upload.py

diff --git a/README.md b/README.md
index 60afe67..5c09c69 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,6 @@ A Pulp plugin to support hosting your own Rust/Cargo package registry.
 
 The following features are not yet implemented but are planned for future releases:
 
-- **Publishing** (`cargo publish`) -- crates cannot yet be uploaded via the Cargo CLI
 - **Authentication & authorization** -- the registry is currently open to all clients
 - **Syncing** -- mirroring an entire upstream registry is not yet supported; use pull-through caching instead
 
diff --git a/pulp_rust/app/tasks/__init__.py b/pulp_rust/app/tasks/__init__.py
index 037ed67..49f4862 100755
--- a/pulp_rust/app/tasks/__init__.py
+++ b/pulp_rust/app/tasks/__init__.py
@@ -1,3 +1,4 @@
+from .publishing import parse_cargo_publish_body, apublish_package  # noqa
 from .synchronizing import synchronize  # noqa
 from .streaming import add_cached_content_to_repository  # noqa
 from .yanking import ayank_package, aunyank_package  # noqa
diff --git a/pulp_rust/app/tasks/publishing.py b/pulp_rust/app/tasks/publishing.py
new file mode 100644
index 0000000..9f08247
--- /dev/null
+++ b/pulp_rust/app/tasks/publishing.py
@@ -0,0 +1,110 @@
+import hashlib
+import struct
+
+from pulpcore.plugin.models import Artifact, ContentArtifact
+from pulpcore.plugin.tasking import aadd_and_remove
+
+from pulp_rust.app.models import RustContent, RustDependency, RustRepository
+from pulp_rust.app.utils import extract_cargo_toml, extract_dependencies
+
+
+def parse_cargo_publish_body(body):
+    """
+    Parse the binary request body from ``cargo publish``.
+
+    Format (per https://doc.rust-lang.org/cargo/reference/registry-web-api.html#publish):
+        4 bytes: JSON metadata length (little-endian u32)
+        N bytes: JSON metadata (UTF-8)
+        4 bytes: .crate file length (little-endian u32)
+        M bytes: .crate file (binary)
+
+    Returns:
+        (metadata_dict, crate_bytes)
+    """
+    import json
+
+    offset = 0
+
+    json_len = struct.unpack_from("<I", body, offset)[0]
+    offset += 4
+
+    json_bytes = body[offset : offset + json_len]
+    offset += json_len
+    metadata = json.loads(json_bytes)
+
+    crate_len = struct.unpack_from("<I", body, offset)[0]
+    offset += 4
+
+    crate_bytes = body[offset : offset + crate_len]
+    offset += crate_len
+
+    return metadata, crate_bytes
+
+
+async def apublish_package(repository_pk, metadata, crate_path):
+    """
+    Publish a crate to a repository.
+
+    Creates the Artifact, RustContent, ContentArtifact, and RustDependency records,
+    then adds the content to a new repository version.
+
+    Args:
+        repository_pk: Primary key of the target repository.
+        metadata: Parsed JSON metadata from the cargo publish request.
+        crate_path: Filesystem path to the .crate tarball.
+    """
+    repository = await RustRepository.objects.aget(pk=repository_pk)
+
+    # Create the artifact from the .crate file
+    with open(crate_path, "rb") as f:
+        cksum = hashlib.sha256(f.read()).hexdigest()
+
+    artifact = Artifact.init_and_validate(crate_path, expected_digests={"sha256": cksum})
+    await artifact.asave()
+
+    # Extract authoritative metadata from the Cargo.toml inside the .crate tarball.
+    # The publish JSON metadata is NOT authoritative — a rogue client can send metadata
+    # that doesn't match the actual package. We only use the JSON name/vers to locate the
+    # Cargo.toml within the tarball, then extract everything from the Cargo.toml itself.
+    # See: https://github.com/rust-lang/cargo/issues/14492
+    #      https://github.com/rust-lang/crates.io/pull/7238
+    cargo_toml = extract_cargo_toml(artifact.file.path, metadata["name"], metadata["vers"])
+    package = cargo_toml.get("package", {})
+
+    name = package["name"]
+    vers = package["version"]
+
+    # Build dependency list from the Cargo.toml (authoritative source)
+    deps = extract_dependencies(cargo_toml)
+
+    # Create the content record
+    content = RustContent(
+        name=name,
+        vers=vers,
+        cksum=cksum,
+        features=cargo_toml.get("features", {}),
+        features2=None,
+        links=package.get("links"),
+        rust_version=package.get("rust-version"),
+        _pulp_domain_id=repository.pulp_domain_id,
+    )
+    await content.asave()
+
+    # Create dependencies
+    if deps:
+        await RustDependency.objects.abulk_create(
+            [RustDependency(content=content, **dep) for dep in deps]
+        )
+
+    # Create the content artifact (links the .crate file to the content)
+    relative_path = f"{name}/{name}-{vers}.crate"
+    await ContentArtifact.objects.acreate(
+        artifact=artifact, content=content, relative_path=relative_path
+    )
+
+    # Add the content to a new repository version
+    await aadd_and_remove(
+        repository_pk=repository.pk,
+        add_content_units=[content.pk],
+        remove_content_units=[],
+    )
diff --git a/pulp_rust/app/urls.py b/pulp_rust/app/urls.py
index 761d435..b0caa2f 100644
--- a/pulp_rust/app/urls.py
+++ b/pulp_rust/app/urls.py
@@ -1,7 +1,12 @@
 from django.conf import settings
 from django.urls import path
 
-from pulp_rust.app.views import IndexRoot, CargoIndexApiViewSet, CargoDownloadApiView
+from pulp_rust.app.views import (
+    IndexRoot,
+    CargoIndexApiViewSet,
+    CargoDownloadApiView,
+    CargoPublishApiView,
+)
 
 if settings.DOMAIN_ENABLED:
     CRATES_IO_URL = "pulp/cargo/<slug:pulp_domain>/<slug:repo>/"
@@ -10,6 +15,11 @@
 
 
 urlpatterns = [
+    path(
+        CRATES_IO_URL + "api/v1/crates/new",
+        CargoPublishApiView.as_view(),
+        name="cargo-publish-api",
+    ),
     path(
         CRATES_IO_URL + "api/v1/crates/<str:name>/<str:version>/<path:rest>",
         CargoDownloadApiView.as_view(),
diff --git a/pulp_rust/app/views.py b/pulp_rust/app/views.py
index 9e02bde..a8d9fdf 100644
--- a/pulp_rust/app/views.py
+++ b/pulp_rust/app/views.py
@@ -1,12 +1,13 @@
 import json
 import logging
+import tempfile
 import urllib.request
 import urllib.error
 
+from rest_framework.renderers import BaseRenderer, JSONRenderer
 from rest_framework.views import APIView
 from rest_framework.viewsets import ViewSet
 from rest_framework.exceptions import Throttled
-from rest_framework.renderers import BaseRenderer
 from django.core.exceptions import ObjectDoesNotExist
 from django.shortcuts import redirect, get_object_or_404
 
@@ -20,7 +21,6 @@
 from urllib.parse import urljoin
 
 from pulpcore.plugin.util import get_domain
-
 from pulpcore.plugin.tasking import dispatch
 
 from pulp_rust.app.models import (
@@ -29,7 +29,12 @@
     RustPackageYank,
     _strip_sparse_prefix,
 )
-from pulp_rust.app.tasks import ayank_package, aunyank_package
+from pulp_rust.app.tasks import (
+    ayank_package,
+    aunyank_package,
+    apublish_package,
+    parse_cargo_publish_body,
+)
 from pulp_rust.app.serializers import (
     IndexRootSerializer,
     RustContentSerializer,
@@ -110,7 +115,7 @@ def initial(self, request, *args, **kwargs):
         else:
             cargo_base = request.build_absolute_uri(f"/pulp/cargo/{repo}/")
             self.base_content_url = urljoin(BASE_CONTENT_URL, f"pulp/cargo/{repo}/")
-        self.base_api_url = cargo_base
+        self.base_api_url = cargo_base.rstrip("/")
         self.base_download_url = f"{cargo_base}api/v1/crates"
 
     @classmethod
@@ -253,6 +258,101 @@ def retrieve(self, request, repo):
         return HttpResponse(json.dumps(data), content_type="application/json")
 
 
+class CargoPublishApiView(APIView):
+    """
+    View for Cargo's crate publish endpoint (PUT /api/v1/crates/new).
+
+    Parses the custom binary format from ``cargo publish`` and dispatches a task
+    to create the artifact, content, and new repository version.
+
+    See: https://doc.rust-lang.org/cargo/reference/registry-web-api.html#publish
+    """
+
+    # TODO: Authentication/authorization is not yet implemented.
+    # All users with network access can publish. In production, this should
+    # require a valid token and verify crate ownership.
+    authentication_classes = []
+    permission_classes = []
+    renderer_classes = [JSONRenderer]
+
+    def get_distribution(self):
+        return get_object_or_404(
+            RustDistribution, base_path=self.kwargs["repo"], pulp_domain=get_domain()
+        )
+
+    @staticmethod
+    def _error_response(detail, status=400):
+        return HttpResponse(
+            json.dumps({"errors": [{"detail": detail}]}),
+            content_type="application/json",
+            status=status,
+        )
+
+    def put(self, request, **kwargs):
+        """
+        Handle ``cargo publish`` requests.
+
+        Parses the binary body (JSON metadata + .crate tarball), validates the
+        distribution allows uploads and the crate doesn't already exist in the
+        repository, then dispatches a publish task.
+        """
+        distro = self.get_distribution()
+
+        if not distro.allow_uploads:
+            return self._error_response("this registry does not allow uploads", status=403)
+
+        if not distro.repository:
+            return self._error_response(
+                "no repository associated with this distribution", status=404
+            )
+
+        try:
+            metadata, crate_bytes = parse_cargo_publish_body(request.body)
+        except Exception:
+            return self._error_response("invalid publish request body")
+
+        name = metadata.get("name")
+        vers = metadata.get("vers")
+        if not name or not vers:
+            return self._error_response("missing required fields: name, vers")
+
+        # Check for duplicates before dispatching — crates.io rejects re-publishing
+        repo_version = distro.repository.latest_version()
+        if RustContent.objects.filter(pk__in=repo_version.content, name=name, vers=vers).exists():
+            return self._error_response(f"crate version `{name}@{vers}` is already uploaded")
+
+        # Write the .crate bytes to a temp file — raw bytes can't be passed
+        # through dispatch() because task kwargs are stored as JSON.
+        tmp = tempfile.NamedTemporaryFile(suffix=".crate", delete=False)
+        tmp.write(crate_bytes)
+        tmp.close()
+
+        task = dispatch(
+            apublish_package,
+            exclusive_resources=[distro.repository],
+            immediate=True,
+            kwargs={
+                "repository_pk": str(distro.repository.pk),
+                "metadata": metadata,
+                "crate_path": tmp.name,
+            },
+        )
+        has_task_completed(task)
+
+        return HttpResponse(
+            json.dumps(
+                {
+                    "warnings": {
+                        "invalid_categories": [],
+                        "invalid_badges": [],
+                        "other": [],
+                    }
+                }
+            ),
+            content_type="application/json",
+        )
+
+
 class CargoDownloadApiView(APIView):
     """
     View for Cargo's crate download, readme, yank, and unyank endpoints.
@@ -261,7 +361,7 @@ class CargoDownloadApiView(APIView):
     # Authentication disabled for now
     authentication_classes = []
     permission_classes = []
-    renderer_classes = [PlainTextRenderer]
+    renderer_classes = [PlainTextRenderer, JSONRenderer]
 
     def get_full_path(self, base_path, pulp_domain=None):  # TODO: replace with ApiMixin?
         if settings.DOMAIN_ENABLED:
diff --git a/pulp_rust/tests/functional/api/test_publish.py b/pulp_rust/tests/functional/api/test_publish.py
new file mode 100644
index 0000000..72cf074
--- /dev/null
+++ b/pulp_rust/tests/functional/api/test_publish.py
@@ -0,0 +1,205 @@
+"""Tests for the Cargo publish API (PUT /api/v1/crates/new)."""
+
+import json
+import struct
+
+import requests
+
+from pulp_rust.tests.functional.utils import (
+    assert_index_entry_matches_upstream,
+    download_crate_from_upstream,
+    get_index_entry,
+)
+from pulp_rust.app.utils import extract_cargo_toml, extract_dependencies
+
+
+def build_cargo_publish_body(metadata, crate_bytes):
+    """Build the binary request body that ``cargo publish`` sends.
+
+    Format (per Cargo registry web API spec):
+        4 bytes: JSON metadata length (little-endian u32)
+        N bytes: JSON metadata (UTF-8)
+        4 bytes: .crate file length (little-endian u32)
+        M bytes: .crate file (binary)
+    """
+    json_bytes = json.dumps(metadata).encode("utf-8")
+    return (
+        struct.pack("<I", len(json_bytes))
+        + json_bytes
+        + struct.pack("<I", len(crate_bytes))
+        + crate_bytes
+    )
+
+
+def cargo_publish(url, metadata, crate_bytes):
+    """Send a publish request mimicking ``cargo publish``.
+
+    Cargo sends Content-Type: application/json even though the body is a
+    custom binary format, not valid JSON.
+    """
+    body = build_cargo_publish_body(metadata, crate_bytes)
+    return requests.put(
+        f"{url}api/v1/crates/new",
+        data=body,
+        headers={"Content-Type": "application/json"},
+        verify=False,
+    )
+
+
+def build_publish_metadata(crate_path, crate_name, crate_version):
+    """Extract metadata from a .crate file and format it for the publish API.
+
+    Cargo uses "version_req" (not "req") and "explicit_name_in_toml" (not "package")
+    per the Cargo registry web API spec.
+    """
+    cargo_toml = extract_cargo_toml(crate_path, crate_name, crate_version)
+    deps = extract_dependencies(cargo_toml)
+
+    return {
+        "name": crate_name,
+        "vers": crate_version,
+        "deps": [
+            {
+                "name": dep["name"],
+                "version_req": dep["req"],
+                "features": dep["features"],
+                "optional": dep["optional"],
+                "default_features": dep["default_features"],
+                "target": dep["target"],
+                "kind": dep["kind"],
+                "registry": dep.get("registry"),
+                "explicit_name_in_toml": dep.get("package"),
+            }
+            for dep in deps
+        ],
+        "features": cargo_toml.get("features", {}),
+        "links": cargo_toml.get("package", {}).get("links"),
+        "rust_version": cargo_toml.get("package", {}).get("rust-version"),
+    }
+
+
+def test_cargo_publish_and_index_fidelity(
+    delete_orphans_pre,
+    rust_repo_factory,
+    rust_distribution_factory,
+    cargo_registry_url,
+    upstream_index_entry,
+):
+    """Publish a crate via the Cargo publish API and verify the index matches crates.io."""
+    crate_name = "serde"
+    crate_version = "1.0.210"
+
+    crate_path, cksum = download_crate_from_upstream(crate_name, crate_version)
+    with open(crate_path, "rb") as f:
+        crate_bytes = f.read()
+
+    metadata = build_publish_metadata(crate_path, crate_name, crate_version)
+
+    repository = rust_repo_factory()
+    distribution = rust_distribution_factory(repository=repository.pulp_href, allow_uploads=True)
+    base = cargo_registry_url(distribution.base_path)
+
+    response = cargo_publish(base, metadata, crate_bytes)
+    assert response.status_code == 200, response.text
+    result = response.json()
+    assert "warnings" in result
+
+    # Fetch the index from Pulp and compare against crates.io
+    pulp_entry = get_index_entry(base, "se/rd/serde", "1.0.210")
+    assert_index_entry_matches_upstream(pulp_entry, upstream_index_entry)
+
+
+def test_cargo_publish_duplicate_rejected(
+    delete_orphans_pre,
+    rust_repo_factory,
+    rust_distribution_factory,
+    cargo_registry_url,
+):
+    """Publishing the same crate version twice should be rejected."""
+    crate_name = "serde"
+    crate_version = "1.0.210"
+
+    crate_path, _ = download_crate_from_upstream(crate_name, crate_version)
+    with open(crate_path, "rb") as f:
+        crate_bytes = f.read()
+
+    metadata = build_publish_metadata(crate_path, crate_name, crate_version)
+
+    repository = rust_repo_factory()
+    distribution = rust_distribution_factory(repository=repository.pulp_href, allow_uploads=True)
+    base = cargo_registry_url(distribution.base_path)
+
+    # First publish should succeed
+    response = cargo_publish(base, metadata, crate_bytes)
+    assert response.status_code == 200, response.text
+
+    # Second publish of the same version should be rejected
+    response = cargo_publish(base, metadata, crate_bytes)
+    assert response.status_code == 400
+    errors = response.json()["errors"]
+    assert any("already uploaded" in e["detail"] for e in errors)
+
+
+def test_cargo_publish_ignores_tampered_json_metadata(
+    delete_orphans_pre,
+    rust_repo_factory,
+    rust_distribution_factory,
+    cargo_registry_url,
+    upstream_index_entry,
+):
+    """Tampered JSON metadata should be ignored in favor of the Cargo.toml in the tarball.
+
+    See: https://github.com/rust-lang/cargo/issues/14492
+    """
+    crate_name = "serde"
+    crate_version = "1.0.210"
+
+    crate_path, cksum = download_crate_from_upstream(crate_name, crate_version)
+    with open(crate_path, "rb") as f:
+        crate_bytes = f.read()
+
+    # Build correct metadata, then tamper with it
+    metadata = build_publish_metadata(crate_path, crate_name, crate_version)
+    metadata["deps"] = [
+        {
+            "name": "evil-dep",
+            "version_req": "^1.0",
+            "features": [],
+            "optional": False,
+            "default_features": True,
+            "target": None,
+            "kind": "normal",
+            "registry": None,
+            "explicit_name_in_toml": None,
+        }
+    ]
+    metadata["features"] = {"backdoor": ["evil-dep"]}
+    metadata["links"] = "tampered-link"
+
+    repository = rust_repo_factory()
+    distribution = rust_distribution_factory(repository=repository.pulp_href, allow_uploads=True)
+    base = cargo_registry_url(distribution.base_path)
+
+    response = cargo_publish(base, metadata, crate_bytes)
+    assert response.status_code == 200, response.text
+
+    # The index entry should match crates.io (i.e. the Cargo.toml), not the tampered JSON
+    pulp_entry = get_index_entry(base, "se/rd/serde", "1.0.210")
+    assert_index_entry_matches_upstream(pulp_entry, upstream_index_entry)
+
+
+def test_cargo_publish_uploads_disabled(
+    rust_repo_factory,
+    rust_distribution_factory,
+    cargo_registry_url,
+):
+    """Publishing to a distribution with allow_uploads=False should be rejected."""
+    repository = rust_repo_factory()
+    distribution = rust_distribution_factory(repository=repository.pulp_href, allow_uploads=False)
+    base = cargo_registry_url(distribution.base_path)
+
+    metadata = {"name": "foo", "vers": "0.1.0", "deps": [], "features": {}}
+    response = cargo_publish(base, metadata, b"fake-crate-data")
+    assert response.status_code == 403
+    errors = response.json()["errors"]
+    assert any("does not allow uploads" in e["detail"] for e in errors)
diff --git a/pulp_rust/tests/functional/api/test_upload.py b/pulp_rust/tests/functional/api/test_upload.py
new file mode 100644
index 0000000..2c5b3ed
--- /dev/null
+++ b/pulp_rust/tests/functional/api/test_upload.py
@@ -0,0 +1,84 @@
+"""Tests for uploading crate content via the Pulp REST API and verifying index fidelity."""
+
+from pulpcore.client.pulp_rust import RustRustContent, RustDependency
+
+from pulp_rust.tests.functional.utils import (
+    assert_index_entry_matches_upstream,
+    download_crate_from_upstream,
+    get_index_entry,
+)
+from pulp_rust.app.utils import extract_cargo_toml, extract_dependencies
+
+
+def test_upload_and_index_fidelity(
+    delete_orphans_pre,
+    rust_repo_factory,
+    rust_distribution_factory,
+    rust_content_api_client,
+    rust_repo_api_client,
+    monitor_task,
+    cargo_registry_url,
+    pulpcore_bindings,
+    upstream_index_entry,
+):
+    """Upload a crate via the REST API and verify the index matches crates.io."""
+    crate_name = "serde"
+    crate_version = "1.0.210"
+
+    # 1. Download .crate directly from crates.io
+    crate_path, cksum = download_crate_from_upstream(crate_name, crate_version)
+
+    # 2. Parse metadata from the .crate file
+    cargo_toml = extract_cargo_toml(crate_path, crate_name, crate_version)
+    deps = extract_dependencies(cargo_toml)
+    features = cargo_toml.get("features", {})
+    links = cargo_toml.get("package", {}).get("links")
+    rust_version = cargo_toml.get("package", {}).get("rust-version")
+
+    # 3. Upload the .crate as an artifact
+    artifact = pulpcore_bindings.ArtifactsApi.create(crate_path)
+
+    # 4. Create the RustContent with metadata
+    content = rust_content_api_client.create(
+        RustRustContent(
+            artifact=artifact.pulp_href,
+            relative_path=f"{crate_name}/{crate_name}-{crate_version}.crate",
+            name=crate_name,
+            vers=crate_version,
+            cksum=cksum,
+            dependencies=[
+                RustDependency(
+                    name=dep["name"],
+                    req=dep["req"],
+                    features=dep["features"],
+                    optional=dep["optional"],
+                    default_features=dep["default_features"],
+                    target=dep["target"],
+                    kind=dep["kind"],
+                    registry=dep.get("registry"),
+                    package=dep.get("package"),
+                )
+                for dep in deps
+            ],
+            features=features,
+            links=links,
+            rust_version=rust_version,
+        )
+    )
+
+    # 5. Create a repository and add the content
+    repository = rust_repo_factory()
+    monitor_task(
+        rust_repo_api_client.modify(
+            repository.pulp_href,
+            {"add_content_units": [content.pulp_href]},
+        ).task
+    )
+
+    # 6. Create a distribution (no remote — purely local)
+    distribution = rust_distribution_factory(repository=repository.pulp_href)
+    base = cargo_registry_url(distribution.base_path)
+
+    # 7. Fetch the index from Pulp and compare against crates.io
+    pulp_entry = get_index_entry(base, "se/rd/serde", "1.0.210")
+    assert_index_entry_matches_upstream(pulp_entry, upstream_index_entry)
diff --git a/pulp_rust/tests/functional/utils.py b/pulp_rust/tests/functional/utils.py
index a7848f5..052c65c 100644
--- a/pulp_rust/tests/functional/utils.py
+++ b/pulp_rust/tests/functional/utils.py
@@ -1,10 +1,13 @@
+import hashlib
 import json
+import tempfile
 
 import aiohttp
 import asyncio
 from dataclasses import dataclass
 
 CRATES_IO_URL = "sparse+https://index.crates.io/"
+CRATES_IO_DOWNLOAD_URL = "https://static.crates.io/crates/"
 
 # Fields from the sparse index that Pulp should faithfully reproduce.
 # "yanked" is excluded because it depends on per-repo yank state, not upstream.
@@ -70,6 +73,20 @@ def get_index_entry(url, sparse_path, version):
     return entry
 
 
+def download_crate_from_upstream(name, version):
+    """Download a .crate file directly from crates.io and return (path, sha256)."""
+    url = f"{CRATES_IO_DOWNLOAD_URL}{name}/{name}-{version}.crate"
+    downloaded = download_file(url)
+    assert downloaded.response_obj.status == 200
+
+    tmp = tempfile.NamedTemporaryFile(suffix=".crate", delete=False)
+    tmp.write(downloaded.body)
+    tmp.flush()
+
+    cksum = hashlib.sha256(downloaded.body).hexdigest()
+    return tmp.name, cksum
+
+
 def assert_index_entry_matches_upstream(pulp_entry, upstream_entry):
     """Assert that a Pulp-served index entry matches the upstream for all stored fields."""
     for field in INDEX_FIELDS_TO_COMPARE: